Open for Voting

NetPath Account Limitations

I run a multitenant Orion environment and currently have clients beating down the door for access to our NetPath. I have found that I can give them access using some clever and albeit ugly uses of Node.JS, PHP, and JavaScript with an iframe, but this only gives them access via security through obscurity. The current NetPath gives everyone read access to NetPath Services if you simply know the URL [which you can pull from the demo site]. It would be great if I could assign an account limitation to a path, probe,and user [much like the report limitation logic], thus preventing client/corporate information leaks.

  • For the purposes of maintaining customer data integrity i have to disable quite a few features from Customer web servers including NETPATH, so would welcome a way to apply security limitations to it. I have set up customer NETPATHs though advised that it is service desk visible only.

    I have a number of tasks for locking down customer web access, as detailed below. I hope this is of use to someone until such time as the products feature improved built in capabilities and more system wide view/security limitations. Most of these are required to stop users being cunning and changing the URL to access modules and pages that were not accessible directly by menu clicks (using URLs they have seen on the Orion public demo).

    This needs repeating each time a repair is run against WEBSITE on a customer webserver.

    I have found a few modules that I could not fully restrict to remove the possibility of accessing other customer data (either by changing the URL or just not able to set enough view limitations).

    I have a lot of modules installed (NPM, NCM, NTA, VNQM, SAM, WPM, DPA, VMAN, SPM, SRM, IPAM, UDT), so it is just not possible to restrict them all with view limitations (can only pick the most important 3... though 2 are taken up for Nodes and Groups leaving only 1 view limitation to play with for all those modules!). Shame there is no way to TURN OFF particular modules in a user/group account profile, rather than just setting/hiding menus and page views. Seems to only be a few this can be done on (e.g. IPAM, NCM), and others that the permissions can be changed, though no lower than USER (e.g. SAM, WPM) and others with no option (e.g. DPA)

    Restrict Nodes by custom 'customer' property (why does that not exist still as an out of the box and SYSTEM WIDE property). This does view restrict GROUPS (only the nodes in the groups) that set up for some customers (for Maps), so also need a Group restriction. With NPM 11.5 I used to Group Pattern Match against a random string (which worked fine for customers with none of their own groups), otherwise some info would be displayed in Events relating to Groups set up for other customers. I found when first going to NPM12 (a clean install) that would permit no nodes to be displayed so instead setup limit by Group Of Groups (or Single Group), with a group for "all nodes" for each customer (dynamic group against customer custom property). Using so many dynamic groups I randomise the time for refresh so they have a different refresh offset, otherwise they all refresh at 60 seconds and can have performance impact.

    NETPATH and PERFSTACK are both problematic too, so after running the configuration wizard against 'website' on the customer web servers I have a load of manual tasks to perform to lock them down.

    This means deleting the following folders:

    • c:\inetpub\SolarWinds\ui\modules\perstack  (folder)
    • c\inetpub\SolarWinds\ui\modules\netpath   (folder)

    Alerts also display data for other modules, so needs disabling in several places.  Disable Alerts and Message View against account profiles. Remove Alerts from default menu bars.

    To prevent customer knowing the URL, edit C:\InetPub\SolarWinds\Orion\NetPerfMon\Alerts.ASPX, and remove the code between the following (leaving those lines listed below intact). This is right at the end of the file. Remove the file and errors can occur, whereas this 'fix' this just displays a blank page with the normal navigation menus above if they happen upon the URL.

         <asp:Content ID="Content3" ContentPlaceHolderID="ContentPlaceholder" runat="Server">
              <div id="alertGrid">

    [delete all the lines in between the two lines above and below, leaving those lines intact]

             </div>

         </asp:Content>

       

    Copy the entire contents of the modified ALERTS.ASPX and paste into ORIONMESSAGE.ASPX in the same folder (I found this easier than working out how to strip the code out of that particular file. It does change the title bar to Alerts, though the customer should not be there as it is disabled from their menus, so they found it by URL trial and error)

    APPSTACK also displays data that I cannot view restrict, so remove ENVIRONMENT from customer menu bars, and delete the following files (these will simply error if the user manually types the URL for one of them, though wont affect any other areas of browsing).

    • C:\InetPub\SolarWinds\Orion\AppStack\Debug.aspx
    • C:\InetPub\SolarWinds\Orion\AppStack\Default.aspx
    • C:\InetPub\SolarWinds\Orion\AppStack\Settings.aspx

    Turning off NETFLOW NAVIGATOR (otherwise, in the drop down menus, some customisation where customer names or data used can be seen , such as IP ADDRESS GROUPS where customer identifiers have been used. Although fixed in NPM 12, in NPM11.5 the View Type would list ALL Netflow sources (though in 12 seems to accept user account view limitations for that particular drop down).

    Edit C:\inetpub\SolarWinds\Orion\TrafficAnalysis\TrafficViewBuilder\TrafficViewBuilder.ascx

    • Line 10, change the following: (this his the flow navigator menu button on the side)
      • From:
        • $('#tvbCollapsedTd').show(500);
      • To:
        • $('#tvbCollapsedTd').hide(500);

    • Line 20 through to 30 (inclusive)     [delete this whole section, this removes the ability for the side bar to be initiated by a means other than the clicking the now hidden Flow Navigator button]
      • Delete:
        •        <td id="tvbCollapsedTd" valign="top" class="TrafficViewBuilderPanelCollapsed" style="cursor:pointer" onmousedown=
        •                 "
        •                  $('#tvbExpandedTd').show(500);
        •                  $('#tvbCollapsedTd').hide(500);
        •                  // when autorefresher is active and TVB is displayed then autorefresher is disabled
        •                  if (typeof orionPageRefreshTimeout != 'undefined')
        •                     clearTimeout(orionPageRefreshTimeout);               
        •                  ">
        •              <img src="/Orion/TrafficAnalysis/images/Button.TrafficViewBuilder.Expand.gif" alt="<%= Resources.NTAWebContent.NTAWEBDATA_VB1_27 %>" id="expandButton"/>
        •                 <img src="<%= SolarWinds.Orion.Web.UI.Localizer.PathResolver.GetVirtualPath("TrafficAnalysis", "TrafficViewbuilder.CollapsedHeader.Title.gif") %>" style="padding:0px;padding-top:5px"/>
        •         </td>

    Do the the fact I can only have a limited number of view limitations (3) and having a lot of modules, with Alerts not visible I still need to work on locking down EVENTS. I do this by disabling the ability for certain events to REPORT to the event log.

    Event type 380x are Netpath, 610x are WPM, 64xx are SRM. Not sure if other modules add to those ranges, so check first. This is as per Suppress events on the Orion Web Console - SolarWinds Worldwide, LLC. Help and Support

    This query shows the events (there are some below 999 that pattern match, hence adding that). Disclaimer about backing up SQL and getting a DBA / SA  or someone with sufficient knowledge to apply the fix to the SQL DB.

       Select * from [SolarWindsOrion].[dbo].[EventTypes]

       where ((eventtype like '64%') or (eventtype like '380%') or (eventtype l ike '610%')) and (eventtype > '999')

    This query stops the REPORT TO EVENT LOG. Repeat the above Select statement afterwards to ensure it has updated.

      Update [SolarWindsOrion].[dbo].[EventTypes]

      set Report = '0'

      where ((eventtype like '64%') or (eventtype like '380%') or (eventtype like '610%')) and (eventtype > '999') and (Report = '1')

    Obviously backup the files first, in case of an error, and repeat after running the config wizard to repair the web server. Takes < 5 minutes...

    Hope this helps.

  • I'd like to see granularity of account controls for netpath. Maybe a single dropdown box for the kind of stuff people can see?