Securing Truxton Services
If you must operate in a more "locked down" mode, FISMA for instance, you must change how Truxton's services run.
Contents
How Secure Truxton Services
To find out what the permissions are for a service, use the sc sdshow
command:
sc sdshow Les
sc sdshow Truxton
sc sdshow TruxtonDatabase
On my machine, it produces this lovely string:
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
You can use the Powershell ConvertFrom-SddlString
command to convert it to something humanly readable.
ConvertFrom-SddlString -Sddl "D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)" | Foreach-Object {$_.DiscretionaryAcl}
A better way to begin to understand it is by adding spaces and line breaks:
D: (A;;CC DC LC SW RP WP DT LO CR SD RC WD WO;;;BU) (A;;CC LC SW RP WP DT LO CR RC;;;SY) (A;;CC DC LC SW RP WP DT LO CR SD RC WD WO;;;BA) (A;;CC LC SW LO CR RC;;;IU) (A;;CC LC SW LO CR RC;;;SU)
The most common permissions to alter are DC, WD and WO.
Code | Meaning |
---|---|
DC | Change Configuration (aka Write Data) |
WD | Change Permissions (aka Write Descriptor) |
WO | Take Ownership (aka Write Owner) |
It looks like the BuiltIn Users is the culprit. Let's change the BU part to get rid of those:
(A;;CC LC SW RP WP DT LO CR SD RC;;;BU)
Start a command prompt as Administrator then:
sc sdset Les D:(A;;CCLCSWRPWPDTLOCRSDRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
sc sdset Truxton D:(A;;CCLCSWRPWPDTLOCRSDRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
sc sdset TruxtonDatabase D:(A;;CCLCSWRPWPDTLOCRSDRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
External links
- Microsoft Guidelines
- How to Read SDDL
- ACE Strings are the string of letters and semicolons between the parentheses above
- SDDL Specification
PostgreSQL Logon without Password
You can configure Truxton and Postgres to use Windows accounts for authentication (SSPI).
This allows you to get rid of passwords.
The following example assumes the name of the account to log onto Postgres is postgres
and the name of the account to log onto Windows is BillyG
.
Here are the steps:
- Stop the Truxton service
- Stop the Les service
- Stop the Postgres service
- Edit the
pg_ident.conf
to addwindows_map BillyG postgres
- Edit the
pg_hba.conf
to add (above all other entries)host all postgres 0.0.0.0/0 sspi map=windows_map include_realm=0 host all postgres ::0/0 sspi map=windows_map include_realm=0
- Edit the
TruxtonSettings.xml
file to modify the connection strings<dbconnectionstring>Host=localhost;Port=5432;Database=Truxton;Username=postgres;Integrated Security=True;</dbconnectionstring> <mbconnectionstring>Host=localhost;Port=5432;Database=TruxtonMessageBus;Username=postgres;Integrated Security=True;</mbconnectionstring>
- Restart the Postgres service
- Restart the Les service
- Restart the Truxton service
You can test the connection by using the version.py Python script.
Be very careful of case of the account names.
Postgres is case sensitive.
Also, in the database connection strings, you MUST put a machine name like localhost
. If you specify an IP address 127.0.0.1
it will not work.
PostgreSQL Logon without MD5
By default, PostgreSQL uses the MD5 hashing algorithm for password authentication. The problem is MD5 is no longer approved for use in FIPS certified systems. Luckily, PostgreSQL will allow you to use a different method called SCRAM which uses SHA-256 as the algorithm for hashing passwords.
Now you are left with a bit of a chicken-or-the-egg situation. If you change the algorithm to SCRAM then you can't log on with the MD5 stored in the database. The trick to successfully switching to SCRAM from MD5 is to tell PostgreSQL to use SCRAM to obfuscate all new passwords while logged in with MD5. We must:
- While logged in using MD5, tell PostgreSQL to scramble passwords with SCRAM
- Change our password so it will be stored in SCRAM format
- Tell PostgreSQL to use SCRAM for password authentication
Steps
This is for very old installations of Truxton that used MD5 as the logon method.
IT IS HIGHLY RECOMMENDED THAT YOU TRY THESE STEPS ON A TEMPORARY INSTALL OF POSTGRESQL!
The steps are as follows:
- Install PostgreSQL Server
- Log onto the server
psql.exe -U postgres
- Configure PostgreSQL to use SCRAM instead of MD5
alter system set password_encryption = 'scram-sha-256';
- Reload PostgreSQL's configuration by executing
select pg_reload_conf();
- Now change your password by executing
\password
- Enter the same password you had or a new one
- At this point, your password is stored in PostgreSQL as SCRAM and not MD5 which means you can no longer log onto PostgreSQL
- Edit the
pg_hba.conf
and alter lines that end withmd5
to end withscram-sha-256
host all all 0.0.0.0/0 scram-sha-256 host all all ::0/0 scram-sha-256
External links
Easy Button Loads
In order to support Easy Button loads, the permissions of the PostgreSQL service must be altered.
Security is a pain.
When PostgreSQL installs, it does so with minimal permissions.
This makes sense, if a database exploit makes it through, it doesn't have Administrator permissions.
However, this also prevents normal humans from starting or stopping the service from the command line.
net stop
will fail with users' favorite error - Access Denied.
So we have a service running in a reduced-permissions context that can only be started or stopped by Administrators.
To really confuse the snot out of everyone, the Services control panel application has no problem starting or stopping the service.
The GUI does some sort of magic call that the command line does not.
Security just sucks.
In order to allow mere mortals to control Postgres, you must alter the permissions of that service.
sc sdset postgresql-x64-12 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)
The above gives Authorized Users (AU
) the same permissions as administrators.