Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ADP payroll in-security

237 views
Skip to first unread message

Roger Marquis

unread,
May 10, 2002, 5:02:30 PM5/10/02
to

I'm looking for people with experience using a particular ADP
payroll software package. This software runs under MS Windows and
connects to ADP's servers over the Internet. ADP support has been
unable to provide the information necessary to do a risk analysis.
These are the only details I've been able to gather after almost
two weeks and over a dozen calls:

1) ADP asks clients to open their firewall ports 80, 443, 6847,
6848, 6849, and 5282, bi-directionally.

The client computer, normally a Windows PC, becomes a server when
ADP's payroll software is installed and will accept connections from
any IP addresses.

2) ADP does not normally provide a remote server IP address.
Clients who insist are given a remote address for their firewall
ACL but apparently most people don't ask and open their networks
to connections from anywhere, internal or on the Internet.

The Internet source address ADP finally provided is within their
class B subnet (ARIN:ADP-ESNET).

3) ADP does not normally disclose the transport layer protocol.
Clients who insist are told that TCP is the only protocol that
needs to be enabled for bidirectional communication across their
firewall.

4) ADP does not disclose what authentication, if any, is performed by
the client PC or remote host connecting to it.

5) ADP claims that 128 bit encryption is used but does not disclose the
cryptographic algorithm or whether encryption is used on all 6 TCP
ports.

6) ADP does not disclose what these 6 TCP ports are used for other than
downloading data from and uploading software to the client PC.
Upload and download operations can be initiated at either the client
or server.

ADP does not disclose what software is downloaded to the client PC
or whether clients must interactively authorize software or data
transfers.

ADP requests that these ports are left open 24 hours a day 7 days a
week.

ADP would provide no white paper, acceptable use policy, or any
other technical or security information on this software other
than:

A) the tcp ports which must be opened at the firewall,
B) a remote server IP address,
C) that it uses 128 bit encryption,
D) that it both uploads and downloads software and data, and
E) that connections can be initiated by either client or server.

7) ADP's PC support group, which answers technical questions, does not
accept phone calls directly and is not able to initiate calls or
send or receive email from clients. They can only be contacted by
phone calls initiated by the ADP client representative.

These client representatives also do not accept phone calls.
Clients must leave voicemail and be at their phone when the
representative calls back.

After the caller has been authorized, left voicemail(s), and
been at their phone when the representative calls back, ADP's
PC support group can be conferenced-in to answer technical
questions.

Each of these requirements is unusual for an Internet-based
client-server software package. When considered together they
raise a very large red warning flag. Security by obscurity is not
normally taken to such extremes, especially by an Internet Financial
Service Provider. No Corporate Security Officer or Network Security
Consultant would normally allow an outside company to setup a server
inside their client's network without complete disclosure and
guarantees regarding what that internal server will be used for.
Clients have no way of assuring that ADP's software will not be a
source of viruses, trojans, or abused as a base for economic
espionage or other local network probes.

Any additional information regarding this Windows software would
be greatly appreciated.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

AndyBH

unread,
May 13, 2002, 11:35:41 AM5/13/02
to

"Roger Marquis" <not-fo...@roble.com> wrote in message
news:abhch6$31fj$1...@news.mainstreet.net...

> Each of these requirements is unusual for an Internet-based
> client-server software package. When considered together they
> raise a very large red warning flag.

Seems to me you have a number of choices :-

Limit the open ports to one isolated PC in your DMZ.
Use different software that has a dialup connecton to ADP.
Choose a different payroll company.

For starters ?

0 new messages