Jump to content
GeekOfTheSouth

Automate Security Issue- Patch 11 and 12

Recommended Posts

39 minutes ago, Gavsto said:

 Losing vulnerabilities because a support ticket got closed because a partner didn't respond is serious amateur hour stuff.

There was a little more to it than that... I got pretty angry at T3 for various reasons when they initially looked at the problem. Regardless, I should have handled it better.

Share this post


Link to post
Share on other sites
22 hours ago, Gavsto said:

I completely agree, which is precisely why there should be a proper structure in place for reporting security vulnerabilities. Losing vulnerabilities because a support ticket got closed because a partner didn't respond is serious amateur hour stuff. This is also the second time I know of it has happened (one of my privately reported ones got lost in the same way, mostly because the initial support engineer could not comprehend what I was trying to raise).

I implore ConnectWise to put a proper procedure in place for reporting security vulnerabilities allowing for responsible disclosure. In the mean time at least train the existing staff to escalate anything like this immediately to the appropriate resource.

x 1000 - Even if this wasn't the case, we should all take this as a great opportunity to help develop a framework for easily reporting vulnerabilities and working with the appropriate resources. 

There used to be a location to report it on the old LabTech website. It's no longer accessible unfortunately.  

Share this post


Link to post
Share on other sites
27 minutes ago, Deflect said:

x 1000 - Even if this wasn't the case, we should all take this as a great opportunity to help develop a framework for easily reporting vulnerabilities and working with the appropriate resources. 

There used to be a location to report it on the old LabTech website. It's no longer accessible unfortunately.  

From a Corporate Level, I have begun working on a resolution to this concern.

  • Thanks 6

Share this post


Link to post
Share on other sites
On 1/7/2019 at 8:46 PM, Gavsto said:

serious amateur hour stuff

You expected something else?  Have you dealt with CW before? 🙄

Share this post


Link to post
Share on other sites

Posting this here in case it helps others, info sourced from CWSupport:

The problem: LTShare was not designed for Split Server Environments. If you have a 3 way split, with a dedicated Web Server and Automation Server, they each end up with their own LTShare. There is nothing to synchronize the content share folders together. A file upload would end up on the Web Server, but a Script running in the Automate Server would then try to access the file (but try to access it on the Automation Server) and it would be unable to find it.

The solution: The File Service was written to solve this need. It is a new program that is setup to run as a Window Service on the Automation Server (eg. Alongside the database agent). This is heavily an under the hood system change. There is no UI impacting changes that would require new screen shots.

File Service: When something (eg. a Remote Agent) tries to download a file from the system, it will request the file from the Web Server. The Web Server will first check its local LTShare directory for said file, if the file is outdate or does not exist it will communicate with the File Service to get a current copy of the file. The Web Server will then stream the content of that file back to the entity requesting the download, while simultaneously saving a copy to the LTShare directory on the Web Server. This local copy can then be used to server future requests for that file that come to that Web Server. The Web Server communicates with the File Service on port 12413. So in split environments this port will need to be open between the Web Server and the Automation Server. If the FileService is not running for whatever reason the download of a file would fail.

Along with the other changes to the LTShare, there will no longer be a need to have the LTShare mapped to workstations running the Control Center. When a user logs in and the Control Center starts, it will run through like it currently does. During and after the Control Center launch it will download the files that used to be pulled from the LTShare and place them on the machine running the Control Center. These files include the MIBS and legacy reports (Crystal Reports). Screenshots will now be downloaded by the Control Center as needed when loading Computer Management Screens.

Some additional details that may be useful for support:

There will be a FileService created on the Application server which will keep a new table named "PrivateFileShare" which will contain the File information including FileHash and Version of all the files in the LTShare of the Application Server. This information will be gathered by a file on the LTShare called .Folder which will contain details for the state of these files. The service will also allow the communication of the Web servers to the LTShare of the application server.

When one of the Web servers receives a request for one of the files, the Web server will check it's LTShare to see if the file is there, if the file is there, it will check the "PrivateFileShare" table to make sure that the file is the same as the one on the App server. If it isn't it will copy the file from the App server and overwrite the one on the Web server.

In the case that the web server needs to get a file from the File Service, it will immediately serve that file for download by streaming the data from the File Service to the Web Server and then off to whatever is requesting the download, and at the same time the Web Server will store a local copy of that file so that when it is requested again it can be served for download directly by the Web Server without needing to stream the file again from the File Service.

  • Thanks 1

Share this post


Link to post
Share on other sites

Has anyone just disabled this service? We have found it puts massive CPU load (caused by WMI) on a large (number of files, not size) LTShare directory. We have a 2 server config only one LTShare directory on the AppServer. The appserver and webserver are on the same host. 

Share this post


Link to post
Share on other sites

The loading should only be for the initial scan I would expect.. Have you verified it has inventoried all files and still is causing high load? I'd open a ticket.. Things break if it isn't running.

Share this post


Link to post
Share on other sites
On 1/7/2019 at 1:32 PM, DarrenWhite99 said:
  • Good thought on the service account user. From my understanding of the stated/known purpose of the service that shouldn't break it.

I've often wondered about how well that'd work, if at all...

 

On 1/27/2019 at 11:21 AM, MetaMSP said:

File Service: When something (eg. a Remote Agent) tries to download a file from the system, it will request the file from the Web Server. The Web Server will first check its local LTShare directory for said file, if the file is outdate or does not exist it will communicate with the File Service to get a current copy of the file. The Web Server will then stream the content of that file back to the entity requesting the download, while simultaneously saving a copy to the LTShare directory on the Web Server. This local copy can then be used to server future requests for that file that come to that Web Server. The Web Server communicates with the File Service on port 12413. So in split environments this port will need to be open between the Web Server and the Automation Server. If the FileService is not running for whatever reason the download of a file would fail.

Along with the other changes to the LTShare, there will no longer be a need to have the LTShare mapped to workstations running the Control Center. When a user logs in and the Control Center starts, it will run through like it currently does. During and after the Control Center launch it will download the files that used to be pulled from the LTShare and place them on the machine running the Control Center. These files include the MIBS and legacy reports (Crystal Reports). Screenshots will now be downloaded by the Control Center as needed when loading Computer Management Screens.

I have questioned LT Support within the last few months about the Share and/or NTFS file permissions that are needed for LTShare and the FileService to function properly. And they insisted those permissions (both types) need to be set to "Everyone" ("Full Control") for it all to function as intended.

Needless to say, I have a fundamental problem with that being necessary.

Quote

...will no longer be a need to have the LTShare mapped to workstations running the Control Center.

We were told by LT Consulting after FileService was deployed that the only users who might actually need to have LTShare mapped on their workstations are those who are doing system administration/development work such as writing scripts, reports, etc.  (I have not tested that myself yet.)

Manual human access of LTShare aside, what are the minimum permissions needed for the FileService, a local installation of the Control Center ("thick client"), LT Agents, Web Control Center, etc, and which system entities (by default) need any access whatsoever to LTShare?

 

On a somewhat related note... Can we hide the LTShare network share without it hosing LT?

Share this post


Link to post
Share on other sites
On 2/8/2019 at 2:40 PM, KI_EricS said:

I've often wondered about how well that'd work, if at all...

 

I have questioned LT Support within the last few months about the Share and/or NTFS file permissions that are needed for LTShare and the FileService to function properly. And they insisted those permissions (both types) need to be set to "Everyone" ("Full Control") for it all to function as intended.

Needless to say, I have a fundamental problem with that being necessary.

 

That just sounds like a recipe for disaster. 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...