ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » IBM MQ Security » Disable the Administrator group

Post new topic  Reply to topic Goto page Previous  1, 2
 Disable the Administrator group « View previous topic :: View next topic » 
Author Message
Vitor
PostPosted: Fri Jun 18, 2010 12:18 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Api123 wrote:
Vitor wrote:
Api123 wrote:
This is unbelievable?


What is unbelievable is that you've not set MCAUser on the channel.

Vitor. Did you really read my last post?


Yes - you clearly said

Quote:
in the absence of security exists, MCAuser


from which I inferred both were absent. What did you actually mean?

Because if you've left MCAUser blank (i.e. the default setting) then yes, it's perfectly possible for someone to access the queue manager and alter objects. This is why leaving it blank is unbelievable and hence my comment.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Api123
PostPosted: Fri Jun 18, 2010 12:54 pm    Post subject: Reply with quote

Apprentice

Joined: 26 May 2010
Posts: 31

Vitor wrote:
Api123 wrote:
Vitor wrote:
Api123 wrote:
This is unbelievable?


What is unbelievable is that you've not set MCAUser on the channel.

Vitor. Did you really read my last post?


Yes - you clearly said

Quote:
in the absence of security exists, MCAuser


from which I inferred both were absent. What did you actually mean?

Because if you've left MCAUser blank (i.e. the default setting) then yes, it's perfectly possible for someone to access the queue manager and alter objects. This is why leaving it blank is unbelievable and hence my comment.


What I was saying: in the absence of security exits -(I'm not discussing security exits here which is addon to a product). MCAuser ( a user with no password). Any one can use administrator as a user and access almost all objects. I know I can user OAM to configure groups\users and restrict what they can do. but What's OAM can really do to minimize the administrator predefine privileges on MQ objects. and if OAM can do nothing to restrict the Administrator authority. What's it really good for?
Back to top
View user's profile Send private message
Vitor
PostPosted: Fri Jun 18, 2010 12:56 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Api123 wrote:
What I was saying: in the absence of security exits -(I'm not discussing security exits here which is addon to a product). MCAuser ( a user with no password).


No, I'm still not getting your point here. Aside from security exits being an add-on, but that fact (and it's a fact) doesn't seem relevant to this discussion.

Api123 wrote:
Any one can use administrator as a user and access almost all objects.


Not if MCAUser is correctly set i.e. not blank.

Api123 wrote:
if OAM can do nothing to restrict the Administrator authority. What's it really good for?


OAM doesn't control the administrator authority. It controls non-administrative access; without it no non-mqm (administrative) user has any access.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Api123
PostPosted: Fri Jun 18, 2010 1:29 pm    Post subject: Reply with quote

Apprentice

Joined: 26 May 2010
Posts: 31

What I’m learning is:- With no MCAuser (enough is been said about MCAuser on this forum -good&bad) . And the strange design of allowing a user to login with just because the user name is administrator (or any user who is a member of the administrators group) - and with no password is alarming. For OAM to make sense, I would expect only the mqm group to administrator the objects – no other groups – or ability to disable the administrators groups access. You can search there are so many products that are built around this concept . Thanks All for you valuable comments.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jun 18, 2010 1:51 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

Api123 wrote:
What I’m learning is:- With no MCAuser (enough is been said about MCAuser on this forum -good&bad) . And the strange design of allowing a user to login with just because the user name is administrator (or any user who is a member of the administrators group) - and with no password is alarming. For OAM to make sense, I would expect only the mqm group to administrator the objects – no other groups – or ability to disable the administrators groups access. You can search there are so many products that are built around this concept . Thanks All for you valuable comments.

I don't quite get you. Being member of the Administrator group is not sufficient to have mq administrator access. Proof is that we have root locked out of the qmgrs ...
Of course that does not prevent any administrator to impersonate any other user like one of the mqm group and as such obtain MQ admin privileges...

At this point the question comes down to:
DO YOU TRUST YOUR ADMINS?
If you don't there is no middle ground...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
mqjeff
PostPosted: Fri Jun 18, 2010 4:34 pm    Post subject: Reply with quote

Grand Master

Joined: 25 Jun 2008
Posts: 17447

fjb_saper wrote:
Being member of the Administrator group is not sufficient to have mq administrator access.


Well, but it is if you've done nothing otherwise to secure the queue manager, like setup an MCAUSER on *all* of the channels.

Every member of Administrators group on Windows is automatically a member of the mqm group. So if you've done nothing to scope your channels and secure your channels (i.e., if MCAUSER is still blank), then any user in Administrators, or any user that has the same username as a member in Adminstrators, can administer the queue manager fully from any desktop.

At least, any desktop that is allowed by the network firewall to actually establish a network connection to the production network.

Which should be a *very* small set.
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Fri Jun 18, 2010 7:37 pm    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

oops... I was not getting the fact that he was not setting the MCAUser. It is a well known fact that you can access the qmgr with the priviledges accorded to the user running the MQListener if you do not set the MCAUser...

Well if he really needs to lock it down I guess he will have to use a channel table, SSL and the mcauser...
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
VJ
PostPosted: Wed Nov 24, 2010 11:58 pm    Post subject: Reply with quote

Newbie

Joined: 24 Nov 2010
Posts: 5

Hey Api,

This is the property of Windows. If you are an administrator you can do whatever you want in that system and the products installed in that system.
Coming to your point, if you send a message using Administrator user id (even without a password) , no matter what yes MQ is taking it. (Provided you do not set any MCAUSER).

My question is , can a X or Y login as a Administrator or can create a administrator userid in your system? If thats the case , there is a big problem with your environment itself.

Just like MQM group ,windows local Administrators group also has all the access to MQ. There are ways to restrict this as mentioned in this forum through MCAUSER, Channel Exit or whatever.

Everything is working as designed including OAM. I dont know what you are expecting........
Back to top
View user's profile Send private message
fjb_saper
PostPosted: Thu Nov 25, 2010 5:33 am    Post subject: Reply with quote

Grand High Poobah

Joined: 18 Nov 2003
Posts: 20696
Location: LI,NY

fjb_saper wrote:
Well if he really needs to lock it down I guess he will have to use a channel table, SSL and the mcauser...


Of course this will not lock down someone doing a bindings connection. But then you have to trust the admins of the box.
_________________
MQ & Broker admin
Back to top
View user's profile Send private message Send e-mail
bruce2359
PostPosted: Thu Nov 25, 2010 7:40 am    Post subject: Reply with quote

Poobah

Joined: 05 Jan 2008
Posts: 9394
Location: US: west coast, almost. Otherwise, enroute.

The OP is from June 2010.
_________________
I like deadlines. I like to wave as they pass by.
ב''ה
Lex Orandi, Lex Credendi, Lex Vivendi. As we Worship, So we Believe, So we Live.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Goto page Previous  1, 2 Page 2 of 2

MQSeries.net Forum Index » IBM MQ Security » Disable the Administrator group
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.