SCP base security m...
 
Notifications
Clear all

SCP base security model

13 Posts
2 Users
0 Reactions
3,234 Views
Posts: 7
Topic starter
(@anthonyfrancis)
Active Member
Joined: 8 years ago

We don't have that option. That is my point, not every server can be as secure as you would like it because of client requirements, which is why the CP should be as secure as possible. Pinning administrative credentials on an IIS site is insecure and very bad practice, it should never be done. I know you don't want to hear this, but it is the very real truth. Please consider delegating the tasks to a service that has admin access and having the server site run as a non-privileged user.

Reply
Posts: 1967
Admin
(@m-tiggelaar)
Noble Member
Joined: 9 years ago

Well as i said, you can also configure it with "secure" mode and enter a admin level user / pass credentials in the database, that way your application pool user has no administrative rights and it uses the login on cmd / powershell.

though personally thats less secure (as mssql database hanging infront of a public portal --> more easy to grab your details then trying to hack a site that no1 besides portal/local ip can load, with it's application pool username + password while hacking from another site (that has no rights but it's own folder at all asp.net full trust will still not get you inside the SolidCP Server files if you secured it properly.

but besides that point, everyone can lock down the SolidCP Server module --> even with Windows Firewall and bindings, only the Portal needs access to it (which runs on normal privs)

In the end the basics stay the same as any other panel. we really can't get around that.
And as i also shown you: the setups are not vulnerable for the tools you mentioned, no server is that is properly setup.

Reply
Posts: 7
Topic starter
(@anthonyfrancis)
Active Member
Joined: 8 years ago

I am really done arguing with you. You are obviously not concerned with making a secure control panel. You would rather everyone else secure everything around your CP.

>In the end the basics stay the same as any other panel. we really can’t get around that.

This is completely incorrect. Maybe take the time to actually learn about how some of your competition works?

>everyone can lock down the SolidCP Server module –> even with Windows Firewall and bindings, only the Portal needs access to it (which runs on normal privs)

Other sites running on the same server bypass the firewall.....

>And as i also shown you: the setups are not vulnerable for the tools you mentioned, no server is that is properly setup.

You haven't shown me anything, other than the fact that you couldn't use certain portions of one tool in the context of a fully locked down site. When you are managing the hosts of other companies that have looser security requirements so that they can support and therefore attract a wider range of clients; you have situations where these tools can be leveraged. You can secure against them as much as you can without breaking functionality of their site; however there is some things in these situations that you cannot protect against, and having a site running with admin credentials presents a major security vulnerability in these situations.

 

All I am saying is that you guys should really spend some time making a backend service, not a website that does the job of the server component. It's fine if you don't want to, just say "we don't want to do that". Don't tell me it isn't necessary, because you are simply not correct.

Reply
Posts: 1967
Admin
(@m-tiggelaar)
Noble Member
Joined: 9 years ago

SolidCP is a secure panel, about as good as it gets by having 3 individual modules to separate the process, which literally gives you 1 front end, 1 sql end, 1 server backend.

The example i showed you is on an normal web server (the way any server should be setup including with plesk) with normal deployed site through SolidCP.

You get the exact same results if you run the deployment tool Marc made for the community. (which automates normal web server deployments for you).

In the end if you don't like the way SolidCP works / is constructed thats fine, again your entitled to your opinion, but to state it's not secure that is incorrect.

We have been deploying WebsitePanel and now SolidCP for many large companies for over 5 years, none of them have any history of a hacked server. (not even one)

No tool (including the ones you mentioned) ever managed to get outside their own site dir, or execute anything on the system, no infection we seen ever passing outside someones website directory.

Personally i can't really think of many ways to make things more safe, and so far i saw nothing that indicates a security issue.

Just saying the way things are done isn't correct doesn't change the history, the tested tools, and even tested security by multiple 3rd parties for certification and assurance so far all passed.

If you want me to change my thought: Come with clear evidence to show it's not secure, until then, there's little more that i can do, change or add to this discussion.

Reply
1 Reply
(@anthonyfrancis)
Joined: 8 years ago

Active Member
Posts: 7

I will do that then, because it is obvious that you are not willing to believe me.

Reply
Posts: 7
Topic starter
(@anthonyfrancis)
Active Member
Joined: 8 years ago

Also, do you happen to run Coldfusion on any of these super secure windows servers that have never been compromised?

Reply
1 Reply
Admin
(@m-tiggelaar)
Joined: 9 years ago

Noble Member
Posts: 1967

No, we only had 1 customer in the past 5 years who needed Coldfusion.

as far as super secure server: we do nothing special to it just the common things like removing users group from c, deny iis_iusrs from system32/ syswow, patch up ssl, etc.. just the common things most Windows admins should be aware of.

Reply
Page 2 / 2
Share: