ESM 4.1.3 add a user with a hardcoded Password!

Reply
L2 Linker

ESM 4.1.3 add a user with a hardcoded Password!

Hi,

 

I have read the following and had to laugh: "Changes to Default Behavior in Traps 4.1.3" :

 

For enhanced security, files in the web-based forensics (BITS upload) folder are no longer accessible to any device except the Endpoint Security Manager (ESM) Server and Console. Now, when you install or upgrade to ESM 4.1.3, the installer creates a user account (TrapsDownloader) and uses that account for accessing files in the BITS folder.

 

i don't think it is enhanced security to add a user named "TrapsDownloader" with a hardcoded password (easy to get), without a easy possibility to change it and this on a server with a administration tool for a core security product.

 

i did only noticed it because on a german OS, the console installer crahs with an error by adding this TrapsDownloader user, because he can not find the local Users group.

 

What you thinking?

 

F.Hufschmid

Tags (4)
L4 Transporter

Re: ESM 4.1.3 add a user with a hardcoded Password!

You can change the password with the DBconfig tool. If you open a case with support they will send you instructions. 

L2 Linker

Re: ESM 4.1.3 add a user with a hardcoded Password!

Thank you, are you from PaloAlto support or sw engineer?

 

You agree with me that this change in the documentation should be large, bold and mandatory and should not be requested via support.

L4 Transporter

Re: ESM 4.1.3 add a user with a hardcoded Password!

Yes and no. Yes, it should be better documented. No, specific information about a password or account that a security product uses, should have some control in the finer details being publicized. Which is why, support should have no issue passing you the information, on how to modify the password. The details of the account and function could use better detailing, in the admin guide.  

L2 Linker

Re: ESM 4.1.3 add a user with a hardcoded Password!

 

No, specific information about a password or account that a security product uses, should have some control in the finer details being publicized.

Why not, every default password from traps should be in the public documetation, with a requirement to change it. If you search in the internet you find it anyway.

Only one good example where PaloAlto has done it:

https://www.paloaltonetworks.com/documentation/41/endpoint/endpoint-admin-guide/administer-the-esm-s...

 

Sorry for saying: all other obfuscation ist security by obscurity.

L2 Linker

Re: ESM 4.1.3 add a user with a hardcoded Password!

i find it out, it is analog to the ninja pw change:

 

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>DBConfig.exe server TrapsDownloaderPassword <YOUR_PASSWORD>

 

thx for the hint

F.Hufschmid

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!