To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Uneasy feeling about password reset feature in PM Console / Server.

Tacsk0
Tacsk0 W/ Member Posts: 4 Security Scout

Hello,

How do you feel about the password reset feature in WithSecure Policy Manager Server and Console? It's openly documented in the manual and leaves H2DB contents intact, which I feel is a security risk.

WithSecure Support says to use Reset Tool on PM, user must first log into server OS as administrator, which is one of the security measures. I have two objections to that line of thought:

  1. In case of a user privilege elevation exploit in the OS, Joe Insidejob or Hacker Harry could promote themselves to full Windows / Linux admin and run the Reset Tool, thereby also becoming PMC admins. They could then turn off or uninstall anti-virus protection on thousands of clients, even if they couldn't do that directly on the individual endpoints due to uninstall password protection.
  2. PMC now has a feature to create minor admins for various sub-branches of a policy domain and those accounts can only see and configure those endpoints within their tree. It's likely those people have admin rights in OS (at least on the Windows Server platform...) In case of a contingency, PMC minor admins may feel informal pressure to become full PM admin by running the pwd reset tool, for example to be able to take new install package versions into use. Thereby user violates written corporate guidelines and possibly puts the company into hot water with auditors / regulators.

Thanks for your attention! Sincerely: Tamas Feher, Hungary.

Comments

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 197 Moderator

    Hi @Tacsk0

    Thank you for reaching out the WithSecure Community,

    Thank you so much for taking the time to provide feedback on our Policy Manager password reset feature. If you're utilizing our business security products and have specific features or ideas in mind, we encourage you to submit them directly through our dedicated portal at ideas.withsecure.com. This platform is designed for your convenience, allowing you to share your feature requests and ideas effortlessly. Your valuable feedback and suggestions are vital in enhancing our products and services, and we greatly appreciate your contribution to our community.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home