One of the biggest problems that I saw with DNP and WSP still seems to persist in this version; that is the fact that the server site runs as an administrative user. This allows a compromised site running ASP or .net to be able to extract the credentials for this account from the MetaBase.
To make matters worse, if the server si on a domain then they can use tools like Mimikatz to capture domain level credentials and spread filth across your entire windows domain. I would really like to see the sites use non-admin credentials and then talk to a backend service that has the admin access. This would greatly reduce the risk associated with using this product.
Additionally, this product should handle filesystem permissions like Plesk does; that is lockdown filesystem access for the SCP_IUSRS group so that the group has no access to anything they do not need, and there should be a system in place where you can tell SCP what custom permissions it should set for this group on third party objects that SCP doesn’t just know about.
The lack of these two things is preventing us from deploying this product.
Running it as administrator user can be done in 2 ways (atleast for domain based systems)
- You can assign it administrator member groups in the application pool (i’m assuming this is what you do not want)
- You can fill in administrator account in the Active Directory Settings section when you set it to “secure”
However it does need higher system level access in order to create the resources for you. so one way or another the SolidCP Server module requires administrator level access.
It also only needs this for the SolidCP Server module, no other website needs (or gets) this kind of access. so when a site is breached they should never be able to climb up the ladder and find out your administrator access (assuming the server is hardened properly).
To your second point:
WebsitePanel more or less assumed that the system administrator locks down their own system (so removing users group from c, adding deny rights to system32 folders, etc)
however Marc has been working hard on automating the deployment, configuration, and hardening for you with his configuration script available here:
This will automate most of the hardening aspects at this point (it does not yet do SSL optimization though).
- Views6600 times
- Answers9 answers