Client Principal in the wild

Slides:



Advertisements
Similar presentations
MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.
MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.
Using the Self Service BMC Helpdesk
OWASP Secure Coding Practices Quick Reference Guide
Copyright © 2005, SAS Institute Inc. All rights reserved. User Authentication and Single Sign-on Across the SAS ® 9 Platform Larry Noe and Scott Sweetland,
Chapter Five Users, Groups, Profiles, and Policies.
SFDC Integration Basics Gerry Winning. Integrating Your Progress App with SFDC Ovid Back Office App is Fully Integrated with SFDC (about two and a half.
Strength. Strategy. Stability. The Application Profiler.
1 PUG Challenge Americas 2014 Click to edit Master title style PUG Challenge EMEA 2014 – Dusseldorf, Germany Tales from the Audit Trails Presented by:
Chapter 5 Data Management. – The Best & Most Convenient Way to Learn Salesforce.com 2 Objectives By the end of the module, you.
What’s New, Improved or Just Maybe Different! Presented by: Lisa Huppertz, CM/ECF Coordinator.
Introduction To Windows NT ® Server And Internet Information Server.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
G Robert Grimm New York University Protection and the Control of Information Sharing in Multics.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Copyright © 2012 Splunk Inc. Splunking PeopleSoft Marquis Montgomery Security Architect/Team Lead, Corporate Security.
Web Development Challenges and How They are Solved in ps:eScript Matt Verrinder Progress Software UK Internet & Integration Technologies.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
DB-19: OpenEdge® Authentication Without the _User Table
September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
MOVE-14: Migrating Your 4GL Authentication System to OpenEdge® 10
Week #7 Objectives: Secure Windows 7 Desktop
WaveMaker Visual AJAX Studio 4.0 Training Authentication.
Design patterns. What is a design pattern? Christopher Alexander: «The pattern describes a problem which again and again occurs in the work, as well as.
Maintaining a Mirrored Database Tips and Tricks by Paul G. Hiles.
MOVE-9: Audit enable your Application the Easy Way Anthony D Swindells Engineering Fellow.
How KeePass password safe can save you time and energy
Module 7: Fundamentals of Administering Windows Server 2008.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
10/20/2015 ©2006 Scott Miller, University of Victoria 1 User Authentication Content Generation The Use of Cookies Content Pooling Rev 1.5.
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
OPS-15: What was Happening with My Database, AppServer ™, OS... Yesterday, Last Month, Last Year? Libor LaubacherRuanne Cluer Principal Tech Support Engineer.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Diagnostic Pathfinder for Instructors. Diagnostic Pathfinder Local File vs. Database Normal operations Expert operations Admin operations.
Setting up/Managing Bank Personnel Intuit Financial Services University Business Financial Solutions Certification.
INFO1408 Database Design Concepts Week 15: Introduction to Database Management Systems.
Mtivity Client Support System Quick start guide. Mtivity Client Support System We are very pleased to announce the launch of a new Client Support System.
Progress Software Identity Management 101 Sarah Marshall OpenEdge QA Architect May 2012.
 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.
ARCH-08 A Common Business Service Approach to Application Development Anthony Swindells Progress Fellow.
CharMeck.org Contributer Training SharePoint 2013 Orientation and Basic Training.
Staff Module and Summary of Changes 1. Icon Changes: Page 3 Signing In and Password/Pin Changes: Page 4 Logging Out: Page 8 Staff Module Changes: Page.
Adxstudio Portals Training
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
1 Day 2 Logging in, Passwords, Man, talk, write. 2 Logging in Unix is a multi user system –Many people can be using it at the same time. –Connections.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Staff Module and Summary of Changes 1. Icon Changes: Page 3 Signing In and Password/Pin Changes: Page 4 Logging Out: Page 8 Staff Module Changes: Page.
CSCI 6962: Server-side Design and Programming Shopping Carts and Databases.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Working with ASP.NET Controls What is ASP.NET Using server controls in your pages Allowing users to create their own accounts Creating a login page Letting.
BEST PRACTICES FOR DYNAMICS NAV ADMINISTRATION AND SECURITY Per Mogensen.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.
19 Copyright © 2008, Oracle. All rights reserved. Security.
562: Power of Single Sign-On in OpenEdge
Best Practices for Dynamics NAV Administration and Security
Using E-Business Suite Attachments
Application Auditing Made Easy
Mike Furgal Director – DB and Pro2 Services March 20th, 2017
Lesson 16-Windows NT Security Issues
SharePoint Online Authentication Patterns
Technical Integration Guide
Net Report WMI Dashboard Summary
Advanced Tips and Tricks
Presentation transcript:

Client Principal in the wild Or, how we learnt to love the client principal … Julian Lyndon-Smith, whoGloo

help --> about Julian Lyndon-Smith progress v3 *not* a dba guy co-founder of several startups, including dot.r and whoGloo progress v3 *not* a dba guy know enough to keep things running so may get some db stuff wrong. throw your rotten tomatoes ;) know enough about security to make me paranoid you should be too

agenda A little history of openedge security setuserid First looks at the client principal Getting deeper The client principal in the wild aka real code Tips and tricks questions

disclaimer This talk includes information about real-world products and applications What I am about to say reflects our current thinking, but the information contained herein is probably heretical, wrong, may annoy progress, and is definitely subject to change Any future talks on this subject may be materially different from what is described here I may offend “users” ..

V11 ? 11.x introduced new features for the client principal Initialize method Progress.Security.PAMStatus Get-db-client Db-list method 11.1 introduced callbacks This presentation concentrates on the v11 features, as v10 Is not as secure No callbacks Does not have the same level of helper methods etc

Why do we need user authentication ?

Why do we need user authentication ? Sarbanes-Oxley (SOX) http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act Customer requirements Application requirements N-tier applications Appserver / webspeed Auditing Who did what / where / when

authentication is not authorisation Authentication is who the user is Authorisation is what the authorised user can do Often called “roles” You should always, however, be tracking changes to critical data Use the auditing systems built into OpenEdge Beyond the scope of this presentation documentation.progress.com/output/OpenEdge113/pdfs/gscsv/gscsv.pdf

A short history : setuserid We’ve always used setuserid() Present in all versions of progress since at least v3 Not old enough to remember that far back Simple premise Setuserid(“user”,”password” [,”database”]) Authenticates a user for the specified database Tries to match a user account in the _User table of the database Returns true or false

Setuserid : problems Maintenance of the _user table is painful Only the logged in user can change password Which leads to problems if the user forgets their password ;) Only solution is to delete the _user, and recreate Have to setuserid for each connected database It does not generate any audit events, such as for login and logout

Setuserid : problems #2 The password encoding algorithm does not meet any industry standards such as PCI/DSS “cracking” programs exist to reveal password Not easy to use external authentication systems Ldap etc Can’t “logout” or invalidate the authentication session

Enter client principal First introduced with 10.0 Much improved since 11.3 version is very useful ;) Represents a user login session Share a session between appservers and agents Sets user id For the ABL application For the database connection

Enter client principal Audit logs record login and logout of the user Internal authentication schemes External authentication schemes Session data can be stored as raw value Once “sealed” data cannot be changed

Using client principal Several things need to be set up in order to use the client principal Authentication systems Domains Database options

Authentication systems

domains

This is the authentication system Domain options System type This is the authentication system Access code case-sensitive key used to seal the client-principal. A domain with the same name and access code must exist in the db for a sealed CP to be validated Audit context This value is stored in the _event-context field of any auditing record

Database options Override database domain registry, trust the application registry Apply CAN-READ / CAN-WRITE permissions and runtime, not compile time

gotchas Can only access primary-passphrase from within a callback Domain access codes are hard to keep secret in code very very very very bad practice ;) Memory leak with security-policy:get-client Secure access to any stored client principal records Long-lived CP

gotchas <context>Authentication System library open failure (16357) The <context> operation could not find/load the external shared library containing an Authentication System plug-in module" " “ Aka I can’t find the auth program you specified … Try to avoid setuserid() in your code after using client-principal Overwrites *and locks out* set-db-client() Fix this by using set-db-client(?)

Best practices for password ? (user) Enforce password changes on a regular basis NO! Add time delays between sign-in attempts 5s or so Consider allowing sentences as passwords My little pony Bacon, lettuce and tomato Another day, another password Easily cracked ;)

Best practices for password ? (user) It is 10 times more secure to use "this is fun" as your password, than "J4fS<2". http://www.baekdal.com/insights/password-security-usability

Best practices for password ? (user) http://arstechnica.com/security/2012/08/passwords-under-assault/ http://tinyurl.com/nxpaxp5 (How the bible and youtube are cracking your passwords) “Of the 4,400 unique words or phrases they mined from the Twitter searches, 1,976 of them were all or part of actual passwords used by MilitarySingles users” Dustin's computer can perform 30 billion guesses per second against standard Windows hashes. The $800 system uses four AMD Sapphire Radeon 7950 cards.

Best practices for password ? (user)

Best practices for password (system) Never, ever, ever store passwords in plain text. Ever! http://plaintextoffenders.com/archive http://mashable.com/2014/01/16/starbucks-mobile-passwords-plaintext/ Never, ever, ever, store passwords with reversible encryption Always hash the password before storing. Each user should have a different salt for the hash Always try to use https on web / appserver connections So what if the NSA can see it ? ;) Ensure you have a low-level user with no permissions Change userid when your user logs out (appserver etc)

Let’s do this Let’s create a new authentication system Create new domain Create new authentication system Create callback procedure to validate credentials Create a session storage mechanism Validate with user code & password Store a sealed client principal Retrieve stored client principal authenticate

Questions ? Thank you for your time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.