Here is a documentation, Creating a Secure Site
http://images.autodesk.com/adsk/files/secure_autodesk_mapguide_enterprise_site.pdf
cheers,
Daniel(Changyu) Du
From: mapguide-users-boun...@lists.osgeo.org
[mailto:mapguide-users-boun...@lists.osgeo.org] On Behalf Of Trevor Wekel
Sent: Thursday, August 27, 2009 8:40 AM
To: MapGuide Users Mail List
Subject: RE: [mapguide-users] RE: MG Security question
Here are a few other suggestions for hardening the security on a production
MapGuide site:
Remove the server admin pages (www/mapadmin) and the HTTP test pages
(www/mapagent/*.html, *.js, *.php). All of these pages require authentication
but they do give a lot of information to anyone who can figure out the
credentials. Even the Anonymous user account has access to the HTTP test
pages with the default security setup.
Disable all of the HTTP author role commands by adding the following to
www/webconfig.ini
[AgentProperties]
DisableAuthoring = 1
Disabling authoring kills Maestro and Autodesk MapGuide Studio. If you are
only running one box, you can set up a second private instance of the web
extensions with authoring enabled by installing a second HTTP Server (Apache or
IIS) and then installing the web extensions on that server. Both web servers
can point at the same MapGuide Server.
If you are not using WMS or WFS, you can also disable serving of these
protocols with
[AgentProperties]
DisableWfs = 1
DisableWms = 1
Thanks,
Trevor
From: mapguide-users-boun...@lists.osgeo.org
[mailto:mapguide-users-boun...@lists.osgeo.org] On Behalf Of Homan, Thomas
Sent: August 26, 2009 4:14 PM
To: MapGuide Users Mail List
Subject: RE: [mapguide-users] RE: MG Security question
Thanks for the response Bruce.
Changing the admin password was the first thing I did and that brought about my
noticing that serveradminhelper was failing and yes I would completely agree a
dialog is warranted. I am mostly fishing for any other known security defencies
without a complete code review.
Tom
From: mapguide-users-boun...@lists.osgeo.org
[mailto:mapguide-users-boun...@lists.osgeo.org] On Behalf Of Bruce Dechant
Sent: Wednesday, August 26, 2009 2:58 PM
To: MapGuide Users Mail List
Subject: [mapguide-users] RE: MG Security question
Tom,
I don't know of any document describing the security of MGOS.
In regards to your concern over serveradminhelper it is hard coded to use the
default administrator user name and password - so credentials are still
required just no dialog. If you plan on using MGOS or any other system that
uses logon credentials it is always recommended that you change the default
administrator credentials. However, I do think that the serveradminhelper pages
need to be updated so that credentials are asked in a dialog instead of being
hard coded.
Thanks,
Bruce
From: mapguide-users-boun...@lists.osgeo.org
[mailto:mapguide-users-boun...@lists.osgeo.org] On Behalf Of Homan, Thomas
Sent: Wednesday, August 26, 2009 11:23 AM
To: mapguide-users@lists.osgeo.org
Subject: [mapguide-users] MG Security question
Hello,
Does there happen to be a doc/wiki relating to security on MGOS?
I'm hoping to find something that details the obvious security holes like where
the 'serveradminhelper.(php/aspx/jsp) is called from mapagent/index.html ---
Server Admin and allows someone to take the MG server offline without having to
enter any credentials. By default install that tidbit is exposed to the public
for their entertainment.
I'd like to know any of the other suprises that I don't yet know about as well.
Thanks in advance
Tom
___
mapguide-users mailing list
mapguide-users@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapguide-users
