Also - if you are going to tinker with security settings/rules: I think it would be a good idea to enforce the password rules at the server. Either via filters (probably bad idea) ... or in the actual arserver code (better idea).
Last time I checked - they were enforced via active links ... which is pretty easy to bypass. (We reported it ... but it did not seem to be received with the same criticality as we saw). (This was 2 years ago ... so it may have changed in the meantime... we pretty much just use ARS apis ... but - the apis let you change your password to any old thing you want.) -John On Thu, Jan 30, 2014 at 2:17 PM, John Baker <[email protected]>wrote: > Doug > > And you don't force administrators to change the default Mid Tier > password, which is the most relevant starting point for abuse given > everything else is basically hidden from a web client. > > And you haven't made the "disable User" radio do what it says on the > tin, ie disable a user, which will leave an administrator scratching > their head when they believe that clicking disable will disable a user. > > And allowing run process to actually run a process is perhaps the > craziest thing one would enable on an Internet facing deployment. > > And the password management stuff is kind of irrelevant if a user has no > password, ie when SSO is enabled. > > So there's some improvements for 8.2. > > > John > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > "Where the Answers Are, and have been for 20 years" > -- *John Sundberg* Kinetic Data, Inc. "Your Business. Your Process." Save the date! *KEG14* February 24-25, 2014 *For more information, click here * - KEG<http://www.kineticdata.com/Events/KEG.html> 651-556-0930 I [email protected] www.kineticdata.com I community.kineticdata.com _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
