PWM Security
1,217 views
Skip to first unread message
Алексей Вовк
Dec 11, 2012, 8:39:09 AM12/11/12
to pwm-g...@googlegroups.com
We're going to use the PWM for Self Service Students reset password. But we use a single Active Directory for students accounts and staff accounts.
So I really worry for their security.
Is the PWM software secure ?
Is any chance that an intruder can hack it and get access to reset passwords of employees?
How can i check it ?
Many thanks , Alex
So I really worry for their security.
Is the PWM software secure ?
Is any chance that an intruder can hack it and get access to reset passwords of employees?
How can i check it ?
Many thanks , Alex
Joshua Ellsworth
Dec 11, 2012, 8:44:12 AM12/11/12
to pwm-g...@googlegroups.com
No software is 100% secure. In my opinion PWM is very secure and I have never seen any obvious vulnerabilities in a well-configured system. It is much better than my company's old method of changing and resetting passwords.
Be sure that the host server is hardened, that the AD server is secured, and that the config manager is turned off and you should be good to go.
As always, give it a try and see if you are happy with the product.
Jason is doing a great job managing this project.
Be sure that the host server is hardened, that the AD server is secured, and that the config manager is turned off and you should be good to go.
As always, give it a try and see if you are happy with the product.
Jason is doing a great job managing this project.
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/iAN1TI4HizUJ.
For more options, visit https://groups.google.com/groups/opt_out.
Алексей Вовк
Dec 11, 2012, 8:49:10 AM12/11/12
to pwm-g...@googlegroups.com
How can i check it ?
Espessialy security of method of encryption for domain admin's account, stored on the PWM server
Menno Pieters
Dec 11, 2012, 9:24:11 AM12/11/12
to pwm-g...@googlegroups.com
On Tue, Dec 11, 2012 at 2:49 PM, Алексей Вовк <avo...@gmail.com> wrote:
How can i check it ?Espessialy security of method of encryption for domain admin's account, stored on the PWM server
If possible, you should NOT store the domain admin's password in PWM. PWM does not need it. PWM only needs a proxy account with some permissions (see documentation, depends on the functions you use) on the user tree of your AD; not to your entire directory!!! Create a dedicated account with a long, non-guessable password for the proxy account. It should be able to reset/set passwords, read user data and perhaps update some attributes required for PWM to work.
To answer your question about password storage: a two-way encryption method is used. The password can be decrypted by PWM, but is not human readable. Make sure your server is sufficiently protected and users cannot access the configuration from outside. When in production reduce log levels to "error" or "warn", to prevent unnecessary account information to be stored in log files.
Regards,
Menno
Алексей Вовк
Dec 12, 2012, 5:06:28 AM12/12/12
to pwm-g...@googlegroups.com
"two-way encryption method" - What does it mean ?
Menno Pieters
Dec 12, 2012, 5:09:33 AM12/12/12
to pwm-g...@googlegroups.com
On Wed, Dec 12, 2012 at 11:06 AM, Алексей Вовк <avo...@gmail.com> wrote:
"two-way encryption method" - What does it mean ?
It means that it can be decrypted. One way, also known as hashing, cannot be decrypted.
Regards,
Menno
Алексей Вовк
Dec 12, 2012, 8:49:05 AM12/12/12
to pwm-g...@googlegroups.com
Could you pls tell - can it be decrypted by hacking (brutforce, rainbowtable) ?
Are there any vulnerabilities in PWM (or may be backdoors)?
Are there any vulnerabilities in PWM (or may be backdoors)?
Jason Rivard
Dec 12, 2012, 8:51:48 AM12/12/12
to pwm-general
All software is potentially "hackable". Luckily for you, the entire source of the project is available for inspection, and you will need to make your own determination as to it's applicability to your organization. This is no different from any other open-source piece of software you might use.
On Wed, Dec 12, 2012 at 8:49 AM, Алексей Вовк <avo...@gmail.com> wrote:
Could you pls tell - can it be decrypted by hacking (brutforce, rainbowtable) ?
Are there any vulnerabilities in PWM (or may be backdoors)?
--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To post to this group, send email to pwm-g...@googlegroups.com.
To unsubscribe from this group, send email to pwm-general...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/pwm-general/-/1buBa-Z2P8MJ.
Menno Pieters
Dec 12, 2012, 8:59:10 AM12/12/12
to pwm-g...@googlegroups.com
On Wed, Dec 12, 2012 at 2:49 PM, Алексей Вовк <avo...@gmail.com> wrote:
Could you pls tell - can it be decrypted by hacking (brutforce, rainbowtable) ?
Probably yes, but the easiest way would be to have PWM do it. Make sure no unauthorized persons can access your files, make sure you don't use any more privileges than absolutely necessary and you should be fine.
Are there any vulnerabilities in PWM (or may be backdoors)?
As mentioned before in this thread, no software is flawless, but there are no issues that I know of at the moment.
- Menno
Reply all
Reply to author
Forward
0 new messages