Educational Software Thread, SuccessMaker opens security holes for vandalism and viruses in Technical; Put simply, SuccessMaker creates a half-dozen folders in the root, then sets absurd access permissions on them.
Rather than giving ...
SuccessMaker opens security holes for vandalism and viruses
Put simply, SuccessMaker creates a half-dozen folders in the root, then sets absurd access permissions on them.
Rather than giving users readonly access to program directories (where EXE and DLL files live) and modify access to data folders, they grant FULL CONTROL rights to all 6 folders for all users.
Say what? How often do you suppose students running SM need to change the owner of the files in these folders? Or set the file access permissions? What were they thinking setting Full Control?
Let's look at some of the opportunities for mischief this creates:
1) Any user (even students!) can simply DELETE these folders and everything in them. This makes the computer unusable until the IT department can re-install the SM software, whereupon they can simply delete it again.
2) Whatever data SM stores in the Student or Teacher folders is subject to being read (or changed) by any user on the computer.
3) Any viruses accidentally downloaded by users can store themselves in these folders. They can even attach themselves to the executable files there and spread to every user that runs SuccessMaker.
4) Malicious users with somewhat more advanced knowledge could even produce programs with login screens that emulate SM in order to grab credentials, then replace the normal programs with their own.
And that's just off the top of my head.
In an education environment, not all the people using the computers are angels. While you can *hope* that they won't choose to do anything inappropriate (or simply don't know how), the better plan is to take prudent steps to secure the computers. This philosophy helps protect you from both the accidentally careless users, as well as the deliberately malicious ones.
I have spoken to SM, but while they understood my concerns and were polite, they had no solutions to offer.
I'm hoping that someone else has already worked through this and has an answer here. Please tell me I'm not the only person who sees this as a serious security hole! If you have any information here, please share.
Even if you don't have a solution, I'd still like to hear from you if you consider this to be a problem. If SM doesn't have a fix, I have ideas of my own about how to correct this. But I could use some help from people who are more familiar with SM than I am.
Enabling full control on folders, shares etc seems to be the default position of most software venders I have come across, including everything from random software like successmaker to huge systems like sims. It drives me nuts, its just down to ignorance of how permissions actually work and sheer lazyness. It's the main reason why I refuse to ever let engineers install anything on my servers.
As for a solution to successmaker, what I did was move the folders from the root to a successmaker folder in program files, add hidden symbolic directory links in place of the root folders and reset the permissions myself to something less insecure.
Do you have a list of the permissions that you ended up using?
I just reset the folders to inherit the default permissions from the Program Files folder, but you can, if you want, set individual permissions to the student & teacher folders using your domain groups.
I am still looking for some admins that are familiar with SM who can help me sort this out. I know finding people during the summer is going to be a challenge, but clearly this is the best time to be experimenting with this.
So, I have starting looking thru the local directories. There are 176 of them. So far, I've found 2 of them that look like they need write access, and 73 that should probably be read only.