I've been testing the view limitations for read-only accounts with access to only specific subnets.
I was disappointed to find out they could still see all the other Networks (albeit greyed out) besides the Network they were given access to.
Putting on my BlackHat I decided to check to see what else this account has access to.
I created a custom page that only shows the search for IP address box and a link to the Manage Subnets & IP addresses page (http://<IPAM-server>/Orion/IPAM/subnets.aspx.
I was actually wanting to have them go directly to this page when they first login, but have not figured out a way to do this.
So the Menu bar has only this tab on it with a Home page called IP_SUMM with the search for IP address box and a user link to the Manage Subnets & IP addresses page (in case they don't see the tab on the menu bar).
So here is where the security hole lies:
Once on the Manage Subnets & IP addresses page I search for an IP (using the Search IPAM box) which is not in the range that this account has access to.
This takes me to the /Orion/IPAM/search.aspx page - so far so good, the IP is not found.
However, at the bottom of this page is a link which says: "or, go to: IP address Manager Summary"
Now this "locked down" user account can see not only the Top 20 subnets by % IP Address Used (which honors the account limitations) but also the other reports on this page.
These are reports whcih the user should not have access to, such as Top 20 DHCP scopes by Utilization, Last 25 IPAM Events, and Active Alerts, which are not honored by the account limitation.
I can click on one of the DHCP scope in the top 20 list which is outside of the subnets this account can view and it takes me to the DHCP Manangement & DNS Monitoring page:
Of course this page has tabs for Scopes/DHCP Servers/DNS Zones & DNS Servers which certainly should not be accessible by this account.
This allows the restricted user account to view all the DHCP & DNS servers and scopes for all IP addresses, including subnets outside of their account limitation.
This is a huge security concern which prevents us from sharing our IPAM database with other groups in our organization.
Has anyone else run into this. or can they confrim this behaviour?
I want to confirm I have not made some kind of configuration error in the view limitation.