Penetration Testing mailing list archives
RE: NAI ePolicy Orchestrator
From: "Sacha Faust" <sacha () severus org>
Date: Wed, 31 Oct 2001 00:36:19 -0500
I actually ran into the same discovery today when I was taking a look at Distributed Cybercop. Seem very strange that they leave ports open with such information. Port 80 seem to be for the management console and 81 for the agent -----Original Message----- From: Blake Frantz [mailto:blake () mc net] Sent: Tuesday, October 30, 2001 4:15 PM To: pen-test () securityfocus com Subject: NAI ePolicy Orchestrator Hello, I'm looking for a whitepaper on securing NAI ePolicy Orchestrator and can't seem to find anything solid. We are performing an internal audit of our machines and found the the ePolicy Orchestrator Servers all listen on ports 80,8080,8081 -- Each port redirects back to the same directory structure: EVTFILTR.INI 322 09/20/2001 12:45 AM NAIMSERV.LOG 1094 10/26/2001 06:23 PM SERVER.INI 277 10/10/2001 10:00 PM SITEINFO.INI 268 10/10/2001 10:00 PM The contents of two of the files are below: [SERVER.INI] (I modified the hash, but the length is still the same) [Server] DataSource=EPOAV Database=ePO_EPOAV UserName=sa Password=U3BVmVk4KHxsYFxaYFGRIVDxARHBoGCh8bGBcWBRkSFaQ8QERwaAA== UseNTAccount=0 HTTPPort=80 AgentHttpPort=8081 ConsoleHTTPPort=8080 MaxHttpConnection=1000 EventLogFileSizeLimit=2097152 MaxSoftInstall=25 [/SERVER.INI] [SITEINFO.INI] [SiteInfo] Version=1769 DefaultSite=Current Sites=Current [Current] MasterSiteServer=xxxx Servers=xxxx [xxxx] ComputerName=xxxx DNSName=xxx.xxx.xxx.xxx LastKnownIP=xxx.xxx.xxx.xxx HTTPPort=80 AgentHttpPort=8081 ConsoleHTTPPort=8080 [/SITEINFO.INI] These files appear to contain connection info to a MSSQL instance using the sa account -- the password hash is even there. My questions are: Is this how a typical installation is *supposed* to look? I think not, but two of our servers yeild the same info. Is the hash found in server.ini a MSSQL hash or a hash generated by the EPO server itself? Does anyone have a whitepaper on properly securing these servers? Thanks in advance, -blake ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- NAI ePolicy Orchestrator Blake Frantz (Oct 30)
- RE: NAI ePolicy Orchestrator Sacha Faust (Oct 31)