<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>MG Security question</title>
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:SimSun;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle19
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Here is a documentation, “Creating a Secure Site”<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><a
href="http://images.autodesk.com/adsk/files/secure_autodesk_mapguide_enterprise_site.pdf"
target="_blank">http://images.autodesk.com/adsk/files/secure_autodesk_mapguide_enterprise_site.pdf</a><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>cheers,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Daniel(Changyu) Du<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
mapguide-users-bounces@lists.osgeo.org
[mailto:mapguide-users-bounces@lists.osgeo.org] <b>On Behalf Of </b>Trevor
Wekel<br>
<b>Sent:</b> Thursday, August 27, 2009 8:40 AM<br>
<b>To:</b> MapGuide Users Mail List<br>
<b>Subject:</b> RE: [mapguide-users] RE: MG Security question<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Here are a few other suggestions for hardening the security on a
production MapGuide site:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Remove the server admin pages (www/mapadmin) and the HTTP test
pages (www/mapagent/*.html, *.js, *.php). All of these pages require authentication
but they do give a lot of information to anyone who can figure out the
credentials. Even the “Anonymous” user account has access to
the HTTP test pages with the default security setup.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Disable all of the HTTP “author role” commands by
adding the following to www/webconfig.ini<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[AgentProperties]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>DisableAuthoring = 1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Disabling authoring kills Maestro and Autodesk MapGuide
Studio. If you are only running one box, you can set up a second private
instance of the web extensions with authoring enabled by installing a second
HTTP Server (Apache or IIS) and then installing the web extensions on that
server. Both web servers can point at the same MapGuide Server.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>If you are not using WMS or WFS, you can also disable serving of
these protocols with<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>[AgentProperties]<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>DisableWfs = 1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>DisableWms = 1<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks,<br>
Trevor<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-CA style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
mapguide-users-bounces@lists.osgeo.org
[mailto:mapguide-users-bounces@lists.osgeo.org] <b>On Behalf Of </b>Homan,
Thomas<br>
<b>Sent:</b> August 26, 2009 4:14 PM<br>
<b>To:</b> MapGuide Users Mail List<br>
<b>Subject:</b> RE: [mapguide-users] RE: MG Security question<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><span lang=EN-CA><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Thanks for the response Bruce.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Changing the admin password was the first thing I did and that
brought about my noticing that serveradminhelper was failing and yes I would
completely agree a dialog is warranted. I am mostly fishing for any other
known security defencies without a complete code review.</span><o:p></o:p></p>
<p class=MsoNormal> <o:p></o:p></p>
<p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:blue'>Tom</span><o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<div class=MsoNormal align=center style='text-align:center'>
<hr size=2 width="100%" align=center>
</div>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> mapguide-users-bounces@lists.osgeo.org
[mailto:mapguide-users-bounces@lists.osgeo.org] <b>On Behalf Of </b>Bruce
Dechant<br>
<b>Sent:</b> Wednesday, August 26, 2009 2:58 PM<br>
<b>To:</b> MapGuide Users Mail List<br>
<b>Subject:</b> [mapguide-users] RE: MG Security question</span><o:p></o:p></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Tom,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I don’t know of any document describing the security of
MGOS.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In regards to your concern over serveradminhelper it is hard
coded to use the default administrator user name and password – so credentials
are still required just no dialog. If you plan on using MGOS or any other
system that uses logon credentials it is always recommended that you change the
default administrator credentials. However, I do think that the
serveradminhelper pages need to be updated so that credentials are asked in a
dialog instead of being hard coded.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Bruce<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
mapguide-users-bounces@lists.osgeo.org
[mailto:mapguide-users-bounces@lists.osgeo.org] <b>On Behalf Of </b>Homan,
Thomas<br>
<b>Sent:</b> Wednesday, August 26, 2009 11:23 AM<br>
<b>To:</b> mapguide-users@lists.osgeo.org<br>
<b>Subject:</b> [mapguide-users] MG Security question<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Hello,</span>
<o:p></o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Does there
happen to be a doc/wiki relating to security on MGOS?</span> <o:p></o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'm hoping
to find something that details the obvious security holes like where the 'serveradminhelper.(php/aspx/jsp)
is called from mapagent/index.html ---> Server Admin and allows someone to
take the MG server offline without having to enter any credentials. By default
install that tidbit is exposed to the public for their entertainment. </span><o:p></o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'd like to
know any of the other suprises that I don't yet know about as well.</span> <o:p></o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks in
advance</span> <o:p></o:p></p>
<p><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Tom</span> <o:p></o:p></p>
</div>
</body>
</html>