Saturday, July 15, 2006

Hosting Companies - People Vulnerabilities

Yesterday my server was completely rebuilt by my hosting company due to a totally messed up system. (See previous articles if you want the gory details.)

The whole rebuild was caused by over three months of security issues (see my previous articles for the gory details).

Not even 24 hours after this reinstall my hosting company support staff opened up various security holes on the system. Maybe they were inadvertent, new untrained staff, or whatever but it is my server and my business that is hurt by their "minor" or "not so minor" lapses. They can say they are sorry. I lose time and money.

Here's what happened.

First I think their system for tracking passwords isn't working, but I suppose I could have typed something wrong. A guy over there says he couldn't login as the user under which the app is supposed to run...but worse what he did is then start the app up under an administrator account. That's just great. Now if their was a hack in my app the hackers had admin access all day before I realized what he did.

One of the major changes I made and one of the things I had to hassle them to do is set apps up under accounts with limiting restrictions - right out of the gate on a clean install he completely reverses this. Even after I stated multiple times to run this under the limited account.

I'm sure this was an inadvertent error by this user, not intentional, but it is hurting my business. I don't blame this person - his company for not training him correctly after the fiasco I just went through and the fact that their higher level tech stated he was annoyed that no one told me to run this app under lower level permissions. So why didn't someone inform the people who do the day to day support?

Next they deleted an administrator account I created. The reason I created a separate one with a separate password is because this company has the password to the main administrator, so someone could login while I was logged in and the log entries would look like I was doing it. Creating a separate login they can't use prevents this.

Additionally, someone opened up remote access for DCOM to all users. I triple checked this was off yesterday. So why couldn't they only give access to the specific app or user that needs it instead of everyone? And I told them to call me before making any of these changes. They didn't.