11 Replies Latest reply on Mar 31, 2008 9:59 PM by Patrick Kennedy

    Security Issues

    Andries Koorzen
      Hi all. I have a potential issue with the local cache security in PDMWE.

      I did a quick search through the administration guide but was unable to locate any further info on the matter so I'm now trying out the forums.

      My problem is basically as follows:

      A local file vault view can be deleted by me by simply right clicking on the view, selecting "Delete File Vault View", cancel (when asked to login) and then choose the option to leave the local cache intact as a normal folder. (page 309 - 310 of the adminstration guide)

      Is it possible to limit this "deleting of the local view" to a logged in user? If not, I am afraid that a potential client will be lost due to security reasons (see below)

      It concerns me greatly that access to sensitive information can be gained this way by deleting a view and then leaving the local cache intact for regular access. If a potential malicious attack results in information being made available through this "feature" then it renders the security of PDMWE ... well... null and void! It even has a note at the bottom of page 309 saying you don't have to log in!!!! It's like advertising the issue!

      I trust that I am simply overlooking a trivial issue here - if anyone can advise it would be greatly appreciated.

      Regards
        • Security Issues
          Jeff Sweeney
          That does sound like a loophole!

          I think you should be able to get around it by how you create the view in the first place. When asked to select the type of view to create: "Only for me" or "For all users on this computer", choose "Only for me". Choosing this option would make that view only accessible to that chosen Windows profile. Now the only person who would have the ability to delete that view would be someone who would have permission to see it in the first place.
          • Security Issues
            Andries Koorzen
            Hi Jeff. Thanks for the reply.

            Unfortunately a user for whom the view is not supposed to be visible can still delete the view. So not much change there. They can't view the folder or its structure, but they can still delete the local view.

            My concern is the following: If a person is able to gain access to a computer (remotely or not) under a username, then this vulnerability can be exploited to gain access to very sensitive information. A potential client of ours designs satelites and their information is top secret... literally!

            I know that he must do everything from his side to secure his own laptop, but this feature, in case of emergency, sorta makes the vault's security VERY vulnerable to attacks?

            I have logged in under a username who's not supposed to have access to the local vault view and tested it out. Using WinXP with PDMWE sp2.
            • Security Issues
              Jeff Sweeney
              XP Professional? With XP Pro, you should be able to completely hide a directory from one use to another.
                • Security Issues
                  Kevin Silbert
                  Maybe I'm missing something- this doesn't seem any different than a "regular" security issue- the local view only contains information that was checked out and never had "Delete Local" turned on. If the user didn't have the right to Get Local in the first place, it will never be in that directory. Maybe you'd like "Delete Local" to be the only option when checking in a document- that would be handy but off the top of my head I can't recall if it's possible.

                  Anyway, the local view is not a back door into the vault- it doesn't have copies of everything all of the time... Or do I misunderstand the problem?
                • Security Issues
                  Jeff Sweeney
                  Sometimes it only takes one file to be a security breach.
                  • Security Issues
                    Andries Koorzen
                    Hmmm... thanks for the feedback.

                    @Kevin: You are correct in saying that not all files are present all the time and that the directory can be hidden from other users with XP pro.

                    My concern was mainly that if the user does have a file in his local cache then it would be viewable by deleting the local view and then viewing the files in a normal directory.

                    However I think that you solved the problem by saying that a local copy should be deleted when checked in - which is possible. I remember when I tried deleting the local view that it asked me whether I want to check in any files that have been checked out.

                    I understand that the local view isn't a local door in as rightly stated, but I believe what Jeff said holds true in many cases - all it needs to be a full security breach is for one file to be leaked. It can be a sensitive word document, or whatever file for that matter. The main issue is - no files should be accessible without the proper credentials. And at this stage, I am able to get to files in a vault merely by walking to a guys computer (who happens not to be at his desk), delete the vault view and i'll have my files.

                    My concern is that PDMWE asks me whether I want to check that file in (and in the process delete it) when I delete the local view. ... I guess my question is the same as yours - Is there a way to force (or use a setting) for users to delete their local copy when checking in files?

                    PS.. Kevin - I like your avatar!
                      • Security Issues
                        Kevin Silbert
                        Now I understand- Your discussion of an "attack" made me think you were concerned about a connection to the vault...

                        Your point about a user deleting their local view (giving access to local copies of all files that have been worked with on that machine) seems quite valid. I can think of a few ways that PDMWE could tighten this up, and they seem like they would be pretty easy to implement:

                        -Don't allow deletion of the local view without logging in to PDMWE!
                        - Add the option of a transition action called "Delete local copy" that would be used in a workflow.
                        - Add an "administrative permission" called "Disallow local file retention" that could be turned on per user or group.

                        Avatar? That's pictures from my job; I only do this CAD stuff part time I must be getting old- I can remember when there were music videos on MTV (and I had time to watch them)- that was a classic...
                          • Security Issues
                            Patrick Kennedy
                            Sorry to add one more twist to this thread, but the assumption is incorrect that you have to delete the local vault view to make the files accessible. Files in the local cache are accessible via the command line without logging into the vault, even while the local vault view is intact.

                            It appears the "Only for me" option when creating vault views should be very important to some organizations...
                        • Security Issues
                          Jeff Sweeney
                          All workstations should be locked anytime the users are away from their computer, even if they are just warming up their coffee.
                            • Security Issues
                              Kevin Silbert
                              Jeff- your thought made me remember a "policy" I have heard of at one workplace: Any time somebody sees an unattended computer that isn't locked, they fire up their email and send an email from that user to everyone stating that they're bringing donuts for the company the next morning...
                            • Security Issues
                              Jeff Sweeney
                              We always did the old email: "My name is [name] and I am not wearing any pants!" ...I think I like the donut idea better though....