ESM 4.1.3 add a user with a hardcoded Password!

Reply
Highlighted
L3 Networker

ESM 4.1.3 add a user with a hardcoded Password!

Hi,

 

I have read the following and had to laugh: "Changes to Default Behavior in Traps 4.1.3" :

 

For enhanced security, files in the web-based forensics (BITS upload) folder are no longer accessible to any device except the Endpoint Security Manager (ESM) Server and Console. Now, when you install or upgrade to ESM 4.1.3, the installer creates a user account (TrapsDownloader) and uses that account for accessing files in the BITS folder.

 

i don't think it is enhanced security to add a user named "TrapsDownloader" with a hardcoded password (easy to get), without a easy possibility to change it and this on a server with a administration tool for a core security product.

 

i did only noticed it because on a german OS, the console installer crahs with an error by adding this TrapsDownloader user, because he can not find the local Users group.

 

What you thinking?

 

F.Hufschmid

Tags (4)

Accepted Solutions
Highlighted
L4 Transporter

You can change the password with the DBconfig tool. If you open a case with support they will send you instructions. 

View solution in original post

Highlighted
L3 Networker

i find it out, it is analog to the ninja pw change:

 

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>DBConfig.exe server TrapsDownloaderPassword <YOUR_PASSWORD>

 

thx for the hint

F.Hufschmid

View solution in original post


All Replies
Highlighted
L4 Transporter

You can change the password with the DBconfig tool. If you open a case with support they will send you instructions. 

View solution in original post

Highlighted
L3 Networker

Thank you, are you from PaloAlto support or sw engineer?

 

You agree with me that this change in the documentation should be large, bold and mandatory and should not be requested via support.

Highlighted
L4 Transporter

Yes and no. Yes, it should be better documented. No, specific information about a password or account that a security product uses, should have some control in the finer details being publicized. Which is why, support should have no issue passing you the information, on how to modify the password. The details of the account and function could use better detailing, in the admin guide.  

Highlighted
L3 Networker

 

No, specific information about a password or account that a security product uses, should have some control in the finer details being publicized.

Why not, every default password from traps should be in the public documetation, with a requirement to change it. If you search in the internet you find it anyway.

Only one good example where PaloAlto has done it:

https://www.paloaltonetworks.com/documentation/41/endpoint/endpoint-admin-guide/administer-the-esm-s...

 

Sorry for saying: all other obfuscation ist security by obscurity.

Highlighted
L3 Networker

i find it out, it is analog to the ninja pw change:

 

C:\Program Files\Palo Alto Networks\Endpoint Security Manager\Server>DBConfig.exe server TrapsDownloaderPassword <YOUR_PASSWORD>

 

thx for the hint

F.Hufschmid

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!