RNUG Lotus User Group (www.vlaad.lv)

Vlad Tatarincevs's Lotus Domino Blog

    Password stored in SURunAs.exe can be compromised.

    Vladislav Tatarincev  16 April 2010 20:29:01
    If you use SmartUpgrade to deploy new version , and you use RUNAS. you need read this!!!
    Password stored in SURunAs.exe can be compromised.
    http://www-01.ibm.com/support/docview.wss?uid=swg21427073
    Problem
    The SURunAs utility stores a Windows account and password that has administrator rights to install Notes on the PC. Using a 3rd party tool, it may be possible to see the Windows password in clear text stored inside the surunas executable.
     
    Resolving the problem
    This issue has been reported to development in SPR # JSTN837SEG. After review, this was determined to be a restriction due to the current Microsoft APIs.
    The Win32 API call that is used to do the bulk of the work that SURunAs accomplishes takes the account's password in clear text. This is a requirement imposed by Microsoft.
    If this vulnerability is a concern then it's recommended that Admins change the password once the SURunAs Notes installations are complete.



    I have designed my own tool, which does the same thing, as smartupgrade, but it has one Advantage, IT FORCES users, to upgrade, they have like 3-4 attempts, (configurable value), and deploy client.
    as well my tool detects, how many RAM is on machine, and then deploy Standart or Basic client.
    Client deployment is the biggest part of all migration, if migration last for 6 month, then 4-5 month is client deployment.... unless You can force users to upgrade (Novell Zen, Windows AD policy or 3rd party tool).


    thanks to Marie http://www.bleedyellow.com/blogs/crashtestchix/entry/if_you_re_using_smart_upgrade_run_as_to_deploy_upgrades_read_this2?lang=en_us

    Comments
    No Comments Found

    Feeds

    Recent Entries

    Recent Comments

    Archives