I am working on a degree in MIS with a Information Security emphasis and have to do a Security related paper. Since I have had to do security projects in Baan for the last 3 companies I have worked at, I decided to "limit" the topic to Baan/Oracle/HP security issues relating to Sarbanes Oxley compliance.

What I am looking for is what (if any) changes has Baan made regarding security for any version of Baan newer than BaanIVc4?

Here are some areas that I am looking at:

1. Rexec vs Blogin.
2. Password expiry
3. "u" files.
4. Security of log/audit files.
4. default Oracle password (How many companies actually change this)
5. Improvements in application security. For instance, in Baan IVc4 if a user has access to maintain/update in one company, they have access in all companies unless table level security is used.
6. Change mangement.
7. Saving passwords at client level.

I could probably write volumes about security issues but figured I could start a discussion on what people have found.

Jason Foster
Project Leader, Business Systems
nash-elmo industries, LLC

Hi Jason,

I think a lot of us would be interested in your results, even a lot for the state of security issues with Baan IV. If you have already written something about BaanIV, so how about posting it here?

I myself am to 95% a BaanIV user, so I can give you only limited input. Actually at least for Baan V I think, the basic technology is still the same.
- You stil lhave u files, which you coult manipulate
- you still have rexec/blogind, still most/all files belong to the group bsp and are readable for all Baan users
- the user can change his password from within the application, but I am not sure wether password aging is supported

I have not seen Baan ERP LN (or whatever it is called). Like for most people, this is still a mystery.

I have created several polls regarding security setups in Baan for my paper. I would appreciate as many responses as I can get. Also if anyone has any suggestions on other topics relating to security I could poll on, I would appreciate it.

I have submitted overview and outlines for my security topic. The response was great. It was suggested that, separate from the project requirements for class itself, I do a broader based analysis of "typical" security situations Baan Installations face.

My current approach is an extremely narrow focus of lateral security for one installation utilizing BaanIVc3/HPUX 11i/Oracle9i. I am trying to keep it focused on BW Client -> HP UX -> Baan application -> Oracle. This does not include patch management, port access and other OS and Database issues. I would wind up writing a book on that.

I decided to "limit" the topic to Baan/Oracle/HP security issues relating to Sarbanes Oxley compliance.

Jason,

I added my votes in your poll. If you are doing this as part of security changes for the SOX. Then there are few more regulations you also need to consider ->

1. All production changes must approved by managers.

2. the production control/deployment team isnt the one who are part of development team.

Refer to the thread -> Sarbanes-Oxley Documentation (http://www.baanboard.com/baanboard/showthread.php?t=15577&highlight=production)

3. Shell Access to Users (which you have it in the poll)

4. Unix/Application/Database Password disabling/expirations policy for users/job(batch)/ftp accounts.

5. Data Access Restrictions (roles-session/database access levels).

There are few more threads on the board if you search with the keyword - "security"

Jason, I am getting bounces from your currently configured email address. Please change your registered email address asap, otherwise I will have to temoorarily disable your account.

I have actually had to limit it even tighter as I only have 6-7 pages, dobule space with 1 inch margins to work with. I guess I could use a 2 or 3 font size ;)


Jason,

I added my votes in your poll. If you are doing this as part of security changes for the SOX. Then there are few more regulations you also need to consider ->

1. All production changes must approved by managers.

2. the production control/deployment team isnt the one who are part of development team.

Refer to the thread -> Sarbanes-Oxley Documentation (http://www.baanboard.com/baanboard/showthread.php?t=15577&highlight=production)

3. Shell Access to Users (which you have it in the poll)

4. Unix/Application/Database Password disabling/expirations policy for users/job(batch)/ftp accounts.

5. Data Access Restrictions (roles-session/database access levels).

There are few more threads on the board if you search with the keyword - "security"

Jason,

Check your PM's. I sent info on why I voted one way on one poll. So now I know why you are looking at security type issues and maybe a new poll on queries and reports in production.:)

Something else you may want to poll on is "Run Program". There are some issues with it and DEM flows. You may even want to think about a poll on DEMS. Those puppies create all kinds of sessions access and pose lots of problems.

Also we remove access to shells, but the users can ssh into the servers anyway!! Whats the point??? I just do not plan on complaining about this.


Mark

The security setups (or lack of) that I have run across are absolutely amazing. What I love is the managers who say "Oh well the users don't know how to ..... So we don't worry about it"

Now I have a big challenge as I want to switch our environment to blogin instead of rexec. However, management doesn't want the time spent unless I can prove that the passwords are being sent unencrypted. And this is after I have all sorts of documentation discussing plain text passwords in rexec, telnet and ftp. I am trying to find a reliable tool where I can monitor port 512 and then provide a list of usernames and passwords to management.



Jason,

Check your PM's. I sent info on why I voted one way on one poll. So now I know why you are looking at security type issues and maybe a new poll on queries and reports in production.:)

Something else you may want to poll on is "Run Program". There are some issues with it and DEM flows. You may even want to think about a poll on DEMS. Those puppies create all kinds of sessions access and pose lots of problems.

Also we remove access to shells, but the users can ssh into the servers anyway!! Whats the point??? I just do not plan on complaining about this.


Mark

Sounds like our management at times. Couldn't you just attach a sniffer to a PC and get a few people to log in. I believe you could then search thru the log files and see the info. Our network guys did some monitoring at our site for some Baan problems. The one thing I did not do was look for user-id and password - at the time we were looking for Baan dis-connect problems.

Mark

Now I have a big challenge as I want to switch our environment to blogin instead of rexec. However, management doesn't want the time spent unless I can prove that the passwords are being sent unencrypted.
Jason,

Its very easy to change the rexec to the blogin on the server side. But all the client desktops have to be modified.

Refer to the BaaN Support site for more info -

Information about Rexec, BaanLogin, Unified Logon, SSPI functionality
Author K Van den Dool Creation Date: 24 Mar 1999 Alternate ID:
Solution No: 70306 Last Modified: 26 Oct 2004 Status: Published
Product: port6.1c.05.02 Sub Product: Session: BaanLogin
Package: tt Version: B40 Release: c
Solution Type: KR:Question

SOLUTION DESCRIPTION:
1. Rexec versus BaanLogin method
============================

When using the BaanLogin method password information is send in a encrypted way.

3. SSPI Login
===========
The SSPI Login includes the Unified Logon principal but offers more than that.
More information about SSPI can be obtained from the Microsoft web sites. For example: http://www.microsoft.com/windows2000/techinfo/howitworks/security/sspi2000.asp

The SSPI layer is interface between different SSP's (Security Service Providers) like Kerberos.
SSPI provides a mechanism by which a transport application can call in to one of several security providers like Kerberos, and obtain an authenticated connection.

The Kerberos authentication protocol, has been integrated with both the Windows 2000 and Windows 98 kernels, and is currently supported by the SSPI implementation in the Baan software.
I am trying to find a reliable tool where I can monitor port 512 and then provide a list of usernames and passwords to management.
why would you need the password ?

Hi Fosterjr,

to sniff out the passwords send by rexec, just try ethereal. You wil get it precompiled for HP-Ux from http://eigen.ee.ualberta.ca/

Etherreal allows you to follow a connection and you will see all password for telnet, ftp, rexec in clear text. I did this once for fun.

If you really want to wake up manegement, then run something like "crack" against your passwd file. We also did this once for fun and it came back with 80% of the passwords. So if, you allow people to access your server with ftp, telnet or ssh at all, then they can grab the passwd file and get next to anybodies password.

Enjoy security (or the lack of it)

Markus

I don't think it has been mentioned that if the Baan application server is running on Windows and the "Current User" checkbox is checked in the BW Config then I thing neither the Rexec nor BaanLogin protocols are used. I don't think any passwords are transferred at all - just the current Windows authentication token, but I'm not 100% sure on that.

That is correct. So if a user leaves their computer and accessible, anyone could come up and just start Baan.

NPrao,

Presenting a list of passwords would be an absolute proof of what I am trying to get across. Sometimes I feel like Chicken Little, if I could actually prove a vulnerability then it adds some extra weight. I have gotten written permission from our IT Ops Director to perform a packet sniff from my pc to our development box. So I will capture my password and perhaps have a developer log in from my pc as well.

One of the things that anyone attempting to do any sort of security audit should be absolutely careful about is get approval for the activity. There have been too many cases of good sys admins getting fired because they didn't have in writing a very detailed approval for running a sniffer or a password crack.

Jason

Jason Foster ,

pl post the details of "Baan Security" for others benefit to implement in their respective company

Regards,
matgrp