One of the biggest problems that I saw with DNP and WSP still seems to persist in this version; that is the fact that the server site runs as an administrative user. This allows a compromised site running ASP or .net to be able to extract the credentials for this account from the MetaBase.
To make matters worse, if the server si on a domain then they can use tools like Mimikatz to capture domain level credentials and spread filth across your entire windows domain. I would really like to see the sites use non-admin credentials and then talk to a backend service that has the admin access. This would greatly reduce the risk associated with using this product.
Additionally, this product should handle filesystem permissions like Plesk does; that is lockdown filesystem access for the SCP_IUSRS group so that the group has no access to anything they do not need, and there should be a system in place where you can tell SCP what custom permissions it should set for this group on third party objects that SCP doesn’t just know about.
The lack of these two things is preventing us from deploying this product.
SolidCP is a secure panel, about as good as it gets by having 3 individual modules to separate the process, which literally gives you 1 front end, 1 sql end, 1 server backend.
The example i showed you is on an normal web server (the way any server should be setup including with plesk) with normal deployed site through SolidCP.
You get the exact same results if you run the deployment tool Marc made for the community. (which automates normal web server deployments for you).
In the end if you don’t like the way SolidCP works / is constructed thats fine, again your entitled to your opinion, but to state it’s not secure that is incorrect.
We have been deploying WebsitePanel and now SolidCP for many large companies for over 5 years, none of them have any history of a hacked server. (not even one)
No tool (including the ones you mentioned) ever managed to get outside their own site dir, or execute anything on the system, no infection we seen ever passing outside someones website directory.
Personally i can’t really think of many ways to make things more safe, and so far i saw nothing that indicates a security issue.
Just saying the way things are done isn’t correct doesn’t change the history, the tested tools, and even tested security by multiple 3rd parties for certification and assurance so far all passed.
If you want me to change my thought: Come with clear evidence to show it’s not secure, until then, there’s little more that i can do, change or add to this discussion.
- Views6584 times
- Answers9 answers