Hosting Controller - Windows Control Panel - Hosting Control Panel Image
We have new website in place, please click here to be redirected to new pages
 
 
 
Live Support for Hosting Controller - Windows Control Panel & Hosting Servers Control Panel Image
Hosting Controller Catalogue
Facebook Twitter LinkedIn
 

Release Notes

Hosting Controller Security Bulletin– July 16, 2002

Welcome to the first edition of Hosting Controller Security bulletin, designed to keep you abreast of news and developments with respect to recently discovered security issues. Before reading this bulletin, it is highly recommended to see the article ‘How To Secure Windows 2000 Server’ in Hosting Controller Knowledgebase and remove EVERYONE permissions at least from the server as described in the article. See the article at http://www.hostingcontroller.com/english/support/kb/HCKB-Article44.html.

The information contained in this security bulletin provides guidance on various practical issues. The contents can be broken down into two sections: one that help the Hosting Controller v.2002 users to understand how to apply the security fixes, and other that help Hosting Controller v.1.x to take the critical steps to compliance.

S E C U R I T Y    I S S U E S

Recently we were informed about several security holes in User Management, Folder Copy and ODBC DSN Management sections of Hosting Controller. There are unchecked routines in ASP scripts which allow a hacker to seek and exploit the system level privileges by manipulating passive form submission methods.

The details of security bugs are not released for the safety of those who do not become aware about the security bulletin in timely fashion.

R I S K     R A T I N G

Internet Servers - Critical

P A T C H    A V A I L A B I L I T Y

1. Hosting Controller v.2002 Users: A patch (service pack 2) is available for Hosting Controller v.2002 users at http://hostingcontroller.com/english/sp/index.html. You are required to download and apply this service pack.

Beside updating the vulnerable ASP files, this service pack will change the following.

  1. Randomizes ‘AdvWebAdmin’ password. It is also highly recommended to turn off terminal access for 'AdvWebAdmin'. The terminal access can be turned off from account properties in 'User Management' under 'Administrative Tools'. See below for detailed instructions.
  2. Creates a new group ‘HCGroup’ and move all HC users to this new group. If you already have specified ‘HCGroup’ for creating HC users then it will remain unchanged.
  3. Renames default HC ODBC DSN name to a new random name which start with HCxxxxxxxx and updates this ODBC DSN name in HC setting also.

2. Hosting Controller v.1.x Users: Hosting Controller v.1.x users are required to apply manual fix. Follow the procedure below.

Reset AdvWebAdmin password:  ‘AdvWebAdmin’ is the anonymous user for Hosting Controller virtual directory. You need to reset its password. The password should be more than 13 characters long and should consist of special characters e.g. ‘aLpHa@23HiT!’. Also turn off terminal access of this user.

To Reset ‘AdvWebAdmin’ password:

  1. Open Computer Management. To open Computer Management, click ‘Start’, point to ‘Settings’, and then click ‘Control Panel’. Double-click ‘Administrative Tools’, and then double-click ‘Computer Management’.
  2. In the console tree, click ‘Local Users and Groups’. Click ‘Users’.
  3. Click ‘AdvWebAdmin’ user account.
  4. Click ‘Action’, and then click ‘Set Password’.

To Turn Off Terminal Access:

  1. Open Computer Management. To open Computer Management, click ‘Start’, point to ‘Settings’, and then click ‘Control Panel’. Double-click ‘Administrative Tools’, and then double-click ‘Computer Management’.
  2. In the console tree, click ‘Local Users and Groups’. Click ‘Users’.
  3. Click ‘AdvWebAdmin’ user account.
  4. Click ‘Action’, and then click ‘Properties’. Click 'Terminal Service Profile' tab and turn off 'Allow logon to terminal server' check box. Click 'Ok'.

Remove User Group from registry: Because Windows by default gives ‘Read’ permission  to ‘Users’ group therefore anyone can read registry using any scripting language such as ASP. An attacker can read the registry and get HC database DSN name to manipulate the database. As a result of this, one can get even system level privileges.

To Remove The Users Group Permission:

  1. Click Start, Run and enter ‘regedt32’.
  2. Select HKEY_LOCAL_MACHINE on Local Machine. Double click ‘SOFTWARE’, and then double click on ‘Advanced Communications’.
  3. Click ‘Security’ on the menu, click ‘Permissions’ and clear the check box ‘Allow inheritable permissions from parent to propagate to this object’. Click ‘Copy’ when you get an alert prompt. Now select ‘Users’ and click on ’Remove’ Button. Click ‘OK’.

Rename Hosting Controller ODBC DSN Name: This step is required only if your HC ODBC DSN name is 'HCDatabase'.

To Rename ODBC DSN Name:

  1. Open Data Sources (ODBC). To open Data Sources (ODBC), click' Start', point to 'Settings', and then click 'Control Panel'. Double-click 'Administrative Tools', and then double-click 'Data Sources (ODBC)'.
  2. Click 'System DSN' tab, select DSN 'HCDatabase' and click on 'Configure' button which will display DSN configuration dialog.
  3. Enter a different name in 'Data Source Name' box and click 'Ok' button.
  4. Open Hosting Controller Settings utility and provide this new name in 'Data Source Name' box under 'General' tab. Click 'Ok'

Apply UpdateUser Hot Fix: Download and apply UpdateUser Security Hot Fix from http://www.hostingcontroller.com/english/patches/ForAll/download/UpdateUser.zip. Instructions for applying the hot fix are included in the zip package.

C R E D I T S:

Ben Maurer (http://theratnerschool.org)

 

Founded in 1999, Hosting Controller is a complete hosting automation solution for web hosts and cloud based service providers. It allows them to manage both Windows & Linux servers simultaneously as part of a single cluster. In addition to shared hosts, HC offers a full solution suite for hosted Enterprise Applications creating a shared multi-tenant environment for automatic provisioning of Exchange 2007/2010, BlackBerry, SharePoint, OCS and Dynamics CRM. It also offers a full automation solution for Infrastructure and Virtualization providers offering virtualized partitions on both Windows and Linux based servers through Hyper-V technology for Windows & Xen Hypervisor technology for Linux! Hosting Controller Inc. is based in Richmond, BC, Canada and has customers in 125 countries worldwide.