Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3085 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

working directly with the SEC database

melts

hi there

I'm just in the process of looking to make some of updates we do a bit more automated. One of these is resetting access passwords for our SUM Warehouse for some groups.

The problem being we can reset our public SUMs quite easily, all apache setups authenticating against a db, so the hunt is on to make it easy across the board.

Wanting to make the policy update as easy I opened up the SEC (4.7) database and found the updating policies, all nicely stored in XML. The file looks like this;

<policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="com.sophos\mansys\policy" type="UpdatingPolicy">
  <updatingPolicy xmlns="http://www.sophos.com/xml/msys/updatingpolicy.xsd">
    <subscription identityTag="7738F803-5CFF-4322-AB4E-0E62E080115E" />
    <updateLocation bandwidth="0" macProtocol="smb">
      <sourceSite searchOrder="1" id="7f1234eb-63d4-465d-9f25-565821fdcb2d">
        <unc xmlns="http://www.sophos.com/msys/sddm/common.xsd" uri="\\SEC-PRIMARY\SophosUpdate" user="SEC-PRIMARY\SophosUpdateMgr" password="BEGIN_SECURE_TICKET_e3bbd4b8602843fb94bedf206db60093_END_SECURE_TICKET" />
      </sourceSite>
    </updateLocation>
    <updateLocation bandwidth="0" macProtocol="smb">
      <sourceSite searchOrder="2" id="8a811aff-e11b-4a7e-aa53-bf833ea68b6d">
        <http xmlns="http://www.sophos.com/msys/sddm/common.xsd" uri="http://sophos.mybiz.net/sum" password="BEGIN_SECURE_TICKET_b88fceecbb0f4b5e9e727055a0d3030a_END_SECURE_TICKET" user="melts" />
      </sourceSite>
    </updateLocation>
    <logging enabled="true" maxSize="1" logLevel="Normal" numDaysToKeep="5" />
    <schedule autoUpdate="true" updateFrequency="10" useDialUp="false" />
    <bootstrap usePrimary="true" alternativePath="" />
    <intelligentUpdating enabled="true" />
  </updatingPolicy>
</policy>

 Now I don't know if its possible to work with these files, but I figure I could generate my own and insert them back into the SEC db at the same time as the reset happens on the SUM Warehouse. Of course the password seems to be something unhelpful, looks like md5 between the BEGIN_SECURE_TICKET_ ... _END_SECURE_TICKET but it would be hard to reproduce the password back out of that to send to the SUM so I assume its something properiety. its clearly different to the obfuscationUtil so it looks like I can't generate the password field. If thats the case I just won't have that part of the process optimised, its not a big deal, it would just be handy to be able to reset it (and add new policies and groups and and, the list goes on)

:18277


This thread was automatically locked due to age.
  • 0

    Hello melts,

    I'm not faint of heart but I wouldn't fiddle with the policies directly in the database - especially not the updating policies. You quoted an type=18 policy, note that these are linked to type=1 policies (where you will find the obfuscated credentials, BTW). There are other relations not only within but also across tables. Thus such modification might not work as expected or worse introduce inconsistencies in the database.

    Christian

    :18279
  • 0

    thanks for the quick reply with the db info Christian :)

    shortly after posting i started happy clicking and spotted plain text passwords in the type one files, but some type 18's correlation id's don't match the type 1's and it seems a like a bit of a headache.

    probably the better question to ask is; is there any command line tools i can use to update any of the features usually modified in the EC?

    :18285
  • 0

    any command line tools

    Not that I am aware of (other than reporting and deletion of old entries). You think this could be a useful feature?

    Christian

    :18287
  • 0

    Hi,

    Firstly don't do it!! :)  Well not just yet.  

    I've been testing SEC 5 and I notice a command line tool called "UpdateManagerHelper.exe". 

    Sounds like just the thing for you as you can edit the passwords and it will send out the policies on the command line.

    C:\Program Files (x86)\Sophos\Enterprise Console>UpdateManagerHelper.exe -c SUMSERVER

IMPORTANT: This will result in changes to your database.
Ensure that you have backed-up your database files.

Press any key to continue... (Ctrl-C to quit)
Enter new updating credentials for SUMSERVER. (Only printable characters accepted.)

Username: SUMSERVER\sum
Password:
INFO: Checking database consistency
INFO: Changing the default share credentials for update manager 'SUMSERVER' from 'SUMSERVER\sum:********' to 'SUMSERVER\sum:********'
INFO: Removed ticket 'BEGIN_SECURE_TICKET_bb3076e3bb1d488198efcbabeb0ab056_END_SECURE_TICKET' from the secret store
INFO: Added new ticket 'BEGIN_SECURE_TICKET_d89e97f4c0e64b748111a21945133fc2_END_SECURE_TICKET' to the secret store
INFO: Changes to update manager 'SUMSERVER' committed
INFO: Checking child update managers that update from '\\SUMSERVER\SophosUpdate'
INFO: No child update managers needed reconfiguring
INFO: Changing updating policies that reference '\\SUMSERVER\SophosUpdate'
INFO: Checking updating policy 'Default'
INFO: Found policy 'Default' is using credentials 'SUMSERVER\sum:********'
INFO: Changed policy 'Default' to use credentials 'SUMSERVER\sum:********'
INFO: Checking updating policy 'SUMSERVER'
INFO: Found policy 'SUMSERVER' is using credentials 'SUMSERVER\sum:********'
INFO: Changed policy 'SUMSERVER' to use credentials 'SUMSERVER\sum:********'
INFO: Checking updating policy 'SUMSERVER-pc'
INFO: Checking updating policy 'jak'
INFO: Sending out 1 changed updating policies
Done

    I tested running:

    SELECT Name, PolicyXML
FROM [SOPHOS50].[dbo].[Policies]
WHERE 
(Type = 1 or Type = 18) and 
CorrelationID <> 'FactoryDefault'

     And the XML was updated.

    Regards,

    Jak

    :18303
  • 0

    UpdateManagerHelper.exe has been around since 4.0 :smileywink:. Now it looks like it will apply the changes only to the default shares and of those only the ones which use the default user (I'm too lazy to test right now).

    Christian

    :18313
  • 0

    this looks really helpful :)

    its the kind of thing that'd really help manage things. This is from a MSP point of view, where having someone out in the field helping a client out might decide a password reset is for the best, and being able drive it from the same web interface we have for other tools, including the SUM Warehouse protection, would be great. 

    I also haven't seen what happens when you have multiple admins remoting in and firing up SEC, we've avoided it by having one person (usually me :P) doing it all over the phone for everyone else. 

    i have a soft spot for command line tools anyway, i spend too much time working on headless linux boxes :p

    :18339