Les,
this is a situation i have right now which is why i raised this.
So far no damage has been done but i know the guy is trying and has enogh of
free time to play around.
Its unlikely that you will get a user who knows the workings of Universe but
some do know VBA and ODBC/OLEDB well enough to think they can get the
information they require by doing it themselves.without going through the
official menus.
jak
----- Original Message -----
From: "Les Hewkin" <[EMAIL PROTECTED]>
To: <u2-users@listserver.u2ug.org>
Sent: Tuesday, May 31, 2005 7:39 PM
Subject: RE: [U2] Uniobjects hack
I have been following this thread with great intrest. The issues seems to
be that if someone has Excel, UniObjects and knows how U2 works that they
can gain access to the data.
Where are these people? Are they working for the IT department?
Is this a real life scenario? or an exercise in theory of what might
happen?
Les
-----Original Message-----
From: Piers Angliss [mailto:[EMAIL PROTECTED]
Sent: 31 May 2005 10:07
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
JayJay,
Reading between the lines I think you're saying a firewall could be a good
idea....
I'm not sure that the other methods will work though. As I understand the
problem, it is that you can have a secure VB App using UniObjects on a
secure PC but if I have access to Excel on that PC, together with a valid
server login id and password (with update rights) and basic knowledge of
the
directory structure on the server then techniques 2, 5, 6 & 7 won't
trouble
me at all. Ok, I need to understand UniObjects and U2.
I'm not even sure that a firewall would help because the PC I'm trying to
hack the database from has a valid IP address to run the VB App
As somebody looking to implement UniObjects alongside traditional
server-based applications that's a big hole. I can plug it by taking David
Jordan's advice and using AUTHORIZE, but that's a lot of work for me at
this
stage.
It sounds like UOLOGIN is a step in the right direction, but it is only
available on UniData and if Ian's experience is any guide may have some
"implementation issues".
I've been impressed with how easy it is to use UniObjects, I'm less
impressed now. The functionality is great but in too many cases it's just
a
hugely inviting route to hack the database, it needs better server-side
authentication
Piers
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Jenkins
Sent: 30 May 2005 01:56
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
Other techniques posted on the group will work as well - but to list a
few:
1. firewall with nominated IP address interconnectivity ONLY
2. Restricted accounts with purged VOCs
3. O.S level permissions (or Tivoli Access Manager)
4. Triggers
5. Account level controls (remote verbs etc)
6. UO application-level authentication (suggest public key and
one-time-pad
for the serious - stops network sniffing)
7. Restrict access to Windows client PCs - stop anyone from doing anything
untoward as they don't have permission to load or use that sort of
software.
8. firewall
9. firewall
-------
u2-users mailing list
u2-users@listserver.u2ug.org
To unsubscribe please visit http://listserver.u2ug.org/
This message has been comprehensively scanned for viruses,
please visit http://virus.e2e-filter.com/ for details.
This e-mail and any attachments are confidential and intended solely for
the use of the addressee only. If you have received this message in error,
you must not copy, distribute or disclose the contents; please notify the
sender immediately and delete the message.
This message is attributed to the sender and may not necessarily reflect
the view of Travis Perkins plc or its subsidiaries (Travis Perkins).
Agreements binding Travis Perkins may not be concluded by means of e-mail
communication.
E-mail transmissions are not secure and Travis Perkins accepts no
responsibility for changes made to this message after it was sent. Whilst
steps have been taken to ensure that this message is virus free, Travis
Perkins accepts no liability for infection and recommends that you scan
this e-mail and any attachments.
Part of Travis Perkins plc. Registered Office: Lodge Way House, Lodge Way,
Harlestone Road, Northampton, NN5 7UG.
-------
u2-users mailing list
u2-users@listserver.u2ug.org
To unsubscribe please visit http://listserver.u2ug.org/
-------
u2-users mailing list
u2-users@listserver.u2ug.org
To unsubscribe please visit http://listserver.u2ug.org/
