3 Replies Latest reply on Jul 25, 2013 3:27 PM by Network_Guru

    View Limitation Not Working - Security Holes??

      I'm new to the NPM product, so apologies if I'm over looking how to properly lock a view limitation down.  I'm getting highly concerned about my decision to purchase this product after my own problems with security loop holes, and similar posts on the forum.... But anyway, hopefully someone can steer me in the right direction here, as I haven't had any luck with sales and engineering folks.

      I'm using this product in a multi-tenant environment, and want clients to log in and view their interface utilization basically and nothing else.  Sounds easy, but I've spent the better part of a week scratching my head wondering what the heck I'm doing wrong. 

      So in my journey this is the progress and observations I've made:

      After a lot of searching I figured out how to remove the bread crumb feature all together, which was a headache in itself.  I found a post that said to do this finally:

      "There is a setting called "DisableBreadCrumbs" in the inetpub\SolarWinds\web.config file. Just set the value to true."

      Done!

      Oh wait...  Then I realized that as a limited user with view limitation set to a single interface, I can copy and paste any URL into the title bar and see everything an admin can!!  Granted I can't click on nodes or other interfaces and get specific details, I can however still see a ton of data from top tens, alerts, group views, etc that to me is a deal breaker.  I can't have clients be able to see other client names, and details about our network topology, firewalls, and maps, etc... 

      So even if I go and figure out how to disable the mouse-over feature (I have to edit some .js file?), any knowledgeable, and nosy, client can basically copy and paste:

      http://npmserver.com/Orion/SummaryView.aspx?viewname=Current%20Top%2010%20Lists

      http://npmserver.com/Orion/NetPerfMon/Alerts.aspx

      http://npmserver.com/Orion/NetPerfMon/Traps.aspx

      .... etc.  But you get the idea, any of those pages happily shows the locked down user all the data!

       

      Suggestions?

       

      *Edit*

      I just tried to paste the URL for IPAM:

      http://npmserver.com/Orion/IPAM/subnets.aspx

      I can now browse every subnet I have configured (over 300 IPs) with the locked down user.... Great!

      I have unchecked all the settings in the account limitation to "none" ...

        • Re: View Limitation Not Working - Security Holes??
          the_toilet

          i agree, this needs some work.  the way i have tried to get around it is to publish the web-console from citrix, and locking down internet explorer so you can not break out or even see the URL


           


          the problem we still have is that for some reason, solarwinds deemed it good to pop-up windows at every opportunity, events, custom charts etc...  this means that a new window pops-ups of internet explorer, which you can not lock down any way at all...  (unless you can develop a brand new web browser with no user interaction)


           


          i would love solarwinds to work on security issues as a matter of urgency, but the big money is in small enterprises, the large customers i thing are just too small in numbers to be able to drive development directions


           


          also, my priority has been performance enhancements, so am happy that SW are working on that area at the moment, but i think security needs to be next or it will start to experience problems in the enterprise space

          • Re: View Limitation Not Working - Security Holes??
            Network_Guru

            Bump, how close is this "enhancement" now?

            I would like to lock down an account to a single IPAM report URL.

            This account does not require access to any other URL on the server.