Hi All,
In this post, i am gonna take you all to do an audit of your current PeopleSoft applications for security loopholes.
Check the following things and please post the count of points given here your application conforms to:
1) The user booting the application and batch server should not have access to do anything else in the application.
2) Except the user booting the two servers, no one should have privilege to start the app, batch server. Otherwise miscreants can have their own app server running against your database ..a major security threat !!!!
3) Have you emplyed change control ? did you remove supervisor access from every other users so as not to allow them to turn the change control on/off ? Else it could happen that you enabled the change control and someone disable it !!!
4) Did you employ security to the objects accessed from app designer ?Do you use definition groups to maintain objects security ? When a new object is added to database, by default its not added to any def group and every user gets update access to it !! did you take care of this ?
5) Did you revoke access from end users so as not to allow them have permission to add/modify/delete any permission list/roles/user profiles ?? if not, your every other security measure is at major risk !!!
6) Did you generate the new key for your PSCipher utility and have it protected ?? if not, anyone can use the decrypt method written in PSCipher class and decrypt your web profile and integration broker passwords !!!
7) Did you hide the address of application server,database name and other sensitive information while someone hits ctrl+j from PIA ?? no ?? yes you can hide certain info while leaving users to see the component name, page name etc...
8) Did you remove delivered users with any peoplesoft application ?? I have seen miscreants using those ids to get unauthorized access to the applications ...
9) Do you have your connect id-password and userid-password envrypted in configuration files ?
10) Do you have enough security at database level ? I have seen people copied the encrypted password from psoprdefn table to a text file, changed the password of a user, did some transactions and restored the password as before and updated the last updated userid as before ?? !!!
stay tuned for more info ....
In this post, i am gonna take you all to do an audit of your current PeopleSoft applications for security loopholes.
Check the following things and please post the count of points given here your application conforms to:
1) The user booting the application and batch server should not have access to do anything else in the application.
2) Except the user booting the two servers, no one should have privilege to start the app, batch server. Otherwise miscreants can have their own app server running against your database ..a major security threat !!!!
3) Have you emplyed change control ? did you remove supervisor access from every other users so as not to allow them to turn the change control on/off ? Else it could happen that you enabled the change control and someone disable it !!!
4) Did you employ security to the objects accessed from app designer ?Do you use definition groups to maintain objects security ? When a new object is added to database, by default its not added to any def group and every user gets update access to it !! did you take care of this ?
5) Did you revoke access from end users so as not to allow them have permission to add/modify/delete any permission list/roles/user profiles ?? if not, your every other security measure is at major risk !!!
6) Did you generate the new key for your PSCipher utility and have it protected ?? if not, anyone can use the decrypt method written in PSCipher class and decrypt your web profile and integration broker passwords !!!
7) Did you hide the address of application server,database name and other sensitive information while someone hits ctrl+j from PIA ?? no ?? yes you can hide certain info while leaving users to see the component name, page name etc...
8) Did you remove delivered users with any peoplesoft application ?? I have seen miscreants using those ids to get unauthorized access to the applications ...
9) Do you have your connect id-password and userid-password envrypted in configuration files ?
10) Do you have enough security at database level ? I have seen people copied the encrypted password from psoprdefn table to a text file, changed the password of a user, did some transactions and restored the password as before and updated the last updated userid as before ?? !!!
stay tuned for more info ....
No comments:
Post a Comment