I have been following this thread with great intrest. The issues seems to be that if someone has Excel, UniObjects and knows how U2 works that they can gain access to the data.
Where are these people? Are they working for the IT department? Is this a real life scenario? or an exercise in theory of what might happen? Les -----Original Message----- From: Piers Angliss [mailto:[EMAIL PROTECTED] Sent: 31 May 2005 10:07 To: [email protected] Subject: RE: [U2] Uniobjects hack JayJay, Reading between the lines I think you're saying a firewall could be a good idea.... I'm not sure that the other methods will work though. As I understand the problem, it is that you can have a secure VB App using UniObjects on a secure PC but if I have access to Excel on that PC, together with a valid server login id and password (with update rights) and basic knowledge of the directory structure on the server then techniques 2, 5, 6 & 7 won't trouble me at all. Ok, I need to understand UniObjects and U2. I'm not even sure that a firewall would help because the PC I'm trying to hack the database from has a valid IP address to run the VB App As somebody looking to implement UniObjects alongside traditional server-based applications that's a big hole. I can plug it by taking David Jordan's advice and using AUTHORIZE, but that's a lot of work for me at this stage. It sounds like UOLOGIN is a step in the right direction, but it is only available on UniData and if Ian's experience is any guide may have some "implementation issues". I've been impressed with how easy it is to use UniObjects, I'm less impressed now. The functionality is great but in too many cases it's just a hugely inviting route to hack the database, it needs better server-side authentication Piers -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Jenkins Sent: 30 May 2005 01:56 To: [email protected] Subject: RE: [U2] Uniobjects hack Other techniques posted on the group will work as well - but to list a few: 1. firewall with nominated IP address interconnectivity ONLY 2. Restricted accounts with purged VOCs 3. O.S level permissions (or Tivoli Access Manager) 4. Triggers 5. Account level controls (remote verbs etc) 6. UO application-level authentication (suggest public key and one-time-pad for the serious - stops network sniffing) 7. Restrict access to Windows client PCs - stop anyone from doing anything untoward as they don't have permission to load or use that sort of software. 8. firewall 9. firewall ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ This message has been comprehensively scanned for viruses, please visit http://virus.e2e-filter.com/ for details. This e-mail and any attachments are confidential and intended solely for the use of the addressee only. If you have received this message in error, you must not copy, distribute or disclose the contents; please notify the sender immediately and delete the message. This message is attributed to the sender and may not necessarily reflect the view of Travis Perkins plc or its subsidiaries (Travis Perkins). Agreements binding Travis Perkins may not be concluded by means of e-mail communication. E-mail transmissions are not secure and Travis Perkins accepts no responsibility for changes made to this message after it was sent. Whilst steps have been taken to ensure that this message is virus free, Travis Perkins accepts no liability for infection and recommends that you scan this e-mail and any attachments. Part of Travis Perkins plc. Registered Office: Lodge Way House, Lodge Way, Harlestone Road, Northampton, NN5 7UG. ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
