Securing Truxton Services

From truxwiki.com
Jump to navigation Jump to search

If you must operate in a more "locked down" mode, FISMA for instance, you must change how Truxton's services run.

How Secure Truxton Services

To find out what the permissions are for a service, use the sc sdshow command:

sc sdshow Les
sc sdshow Truxton
sc sdshow TruxtonDatabase

On my machine, it produces this lovely string:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

You can use the Powershell ConvertFrom-SddlString command to convert it to something humanly readable.

ConvertFrom-SddlString -Sddl "D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)" | Foreach-Object {$_.DiscretionaryAcl}

A better way to begin to understand it is by adding spaces and line breaks:

D:
(A;;CC DC LC SW RP WP DT LO CR SD RC WD WO;;;BU)
(A;;CC LC SW RP WP DT LO CR RC;;;SY)
(A;;CC DC LC SW RP WP DT LO CR SD RC WD WO;;;BA)
(A;;CC LC SW LO CR RC;;;IU)
(A;;CC LC SW LO CR RC;;;SU)

The most common permissions to alter are DC, WD and WO.

Code Meaning
DC Change Configuration (aka Write Data)
WD Change Permissions (aka Write Descriptor)
WO Take Ownership (aka Write Owner)

It looks like the BuiltIn Users is the culprit. Let's change the BU part to get rid of those:

(A;;CC LC SW RP WP DT LO CR SD RC;;;BU)

Start a command prompt as Administrator then:

sc sdset Les D:(A;;CCLCSWRPWPDTLOCRSDRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
sc sdset Truxton D:(A;;CCLCSWRPWPDTLOCRSDRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
sc sdset TruxtonDatabase D:(A;;CCLCSWRPWPDTLOCRSDRC;;;BU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

External links

PostgreSQL Logon without Password

You can configure Truxton and Postgres to use Windows accounts for authentication (SSPI). This allows you to get rid of passwords. The following example assumes the name of the account to log onto Postgres is postgres and the name of the account to log onto Windows is BillyG. Here are the steps:

  1. Stop the Truxton service
  2. Stop the Les service
  3. Stop the Postgres service
  4. Edit the pg_ident.conf to add
    windows_map BillyG postgres
  5. Edit the pg_hba.conf to add (above all other entries)
    host all postgres 0.0.0.0/0 sspi map=windows_map include_realm=0
    host all postgres ::0/0     sspi map=windows_map include_realm=0
  6. Edit the TruxtonSettings.xml file to modify the connection strings
    <dbconnectionstring>Host=localhost;Port=5432;Database=Truxton;Username=postgres;Integrated Security=True;</dbconnectionstring>
    <mbconnectionstring>Host=localhost;Port=5432;Database=TruxtonMessageBus;Username=postgres;Integrated Security=True;</mbconnectionstring>
    
  7. Restart the Postgres service
  8. Restart the Les service
  9. Restart the Truxton service

You can test the connection by using the version.py Python script. Be very careful of case of the account names. Postgres is case sensitive. Also, in the database connection strings, you MUST put a machine name like localhost. If you specify an IP address 127.0.0.1 it will not work.

PostgreSQL Logon without MD5

By default, PostgreSQL uses the MD5 hashing algorithm for password authentication. The problem is MD5 is no longer approved for use in FIPS certified systems. Luckily, PostgreSQL will allow you to use a different method called SCRAM which uses SHA-256 as the algorithm for hashing passwords.

Now you are left with a bit of a chicken-or-the-egg situation. If you change the algorithm to SCRAM then you can't log on with the MD5 stored in the database. The trick to successfully switching to SCRAM from MD5 is to tell PostgreSQL to use SCRAM to obfuscate all new passwords while logged in with MD5. We must:

  1. While logged in using MD5, tell PostgreSQL to scramble passwords with SCRAM
  2. Change our password so it will be stored in SCRAM format
  3. Tell PostgreSQL to use SCRAM for password authentication

Steps

This is for very old installations of Truxton that used MD5 as the logon method.

IT IS HIGHLY RECOMMENDED THAT YOU TRY THESE STEPS ON A TEMPORARY INSTALL OF POSTGRESQL!

The steps are as follows:

  1. Install PostgreSQL Server
  2. Log onto the server
    psql.exe -U postgres
    
  3. Configure PostgreSQL to use SCRAM instead of MD5
    alter system set password_encryption = 'scram-sha-256';
    
  4. Reload PostgreSQL's configuration by executing
    select pg_reload_conf();
    
  5. Now change your password by executing
    \password
    
  6. Enter the same password you had or a new one
  7. At this point, your password is stored in PostgreSQL as SCRAM and not MD5 which means you can no longer log onto PostgreSQL
  8. Edit the pg_hba.conf and alter lines that end with md5 to end with scram-sha-256
host    all             all             0.0.0.0/0               scram-sha-256
host    all             all             ::0/0                   scram-sha-256

External links

Easy Button Loads

In order to support Easy Button loads, the permissions of the PostgreSQL service must be altered.

Security is a pain. When PostgreSQL installs, it does so with minimal permissions. This makes sense, if a database exploit makes it through, it doesn't have Administrator permissions. However, this also prevents normal humans from starting or stopping the service from the command line. net stop will fail with users' favorite error - Access Denied. So we have a service running in a reduced-permissions context that can only be started or stopped by Administrators. To really confuse the snot out of everyone, the Services control panel application has no problem starting or stopping the service. The GUI does some sort of magic call that the command line does not. Security just sucks.

In order to allow mere mortals to control Postgres, you must alter the permissions of that service.

sc sdset postgresql-x64-12 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)

The above gives Authorized Users (AU) the same permissions as administrators.