Tighten up SAADMIN security

afeind · ‎08-30-2002

I was working on a subscribers PC today (logged in as them not admin). I tried to get to the http://server/saweb and it let me right in. I could change anyones phone extension/password or anything. This shouldn't be happening. I logged into the windows 98 computer as another user that didn't have VM and couldn't get to the saweb screen?

How can I tighten down security? I had opened a TAC case about 2 months ago regarding logging into SA. There was some problem and TAC worked for awhile fixing the security for SA but I am now curious if there is a hole in it. Obviously I don't want users to get to saweb. Is there something in Unity I change to block SA from everyone but admin or exchange admins? Or do we do this through windows security?

Thanks,

Adam

lindborg · ‎08-30-2002

Not sure what was done on your system by TAC but it shouldn't be letting just anyone get to the SA!

When you hit the SAWeb page we get the token of the user logged in from NT - if you're not logged into the domain IIS prompts you using CHAPS for your login name, domain, pw. We look that SID up and see if you're a subscriber on the system, if you are, we see if your Class of Service in Unity allows SA access or not. If it does, you're in. If not, we then go check the SID History table which can be mapped with GrantUnityAccess... if your SID is in this table and it corresponds to a local subscriber with SA access, you're also in.

If those fail, you can't gain access to the SA.

My best guess is you have everyone assigned to an administration Class of Service - either that or someone went a little wild with the GrantUnityAccess tool, however I doubt that...