Solved

Using cwbrxd without an AS/400

Posted on 2008-10-24
4
837 Views
Last Modified: 2013-12-06
I am developing a soluting using RUNRMTJOB command in conjunction with cwbrxd.  The question has arisen about where the cwbrxd service should be running.  My choices are either running it on a central Windows 2003 server OR running on the PC's that will actually be requesting the application.  

I have a concern about running it on a Windows 2003 server from a security perspective.  I think there is less chance of a security hole if the service is run on the workstation.  My manager is of the opinion that is more efficient to run it on the server as you only have to install it once instead of on several workstations.  In essence, I agree.  However, the security aspect concerns me.

Is it possible to send a command to the server running this service without using the AS/400 runrmtjob command.  Can any computer send a remote command to this service and if so, how?  I would like to do a benign test to show my manager the vulnerability of running it on the server.

I would like to send a command from a PC to that server without using the AS/400 (such as copying a file).  Can this be done?
0
Comment
Question by:cosmit
  • 2
4 Comments
 
LVL 34

Accepted Solution

by:
Gary Patterson earned 500 total points
ID: 22799723
Server or workstation?  

Well, my answer is "neither".

There is a reason that Microsoft doesn't supply a native Remote Execution Daemon (rexecd - that's what cwbrxd is) service.  It is an inherently insecure service.  I avoid designing it into my applications, flag it as a possible vulnerability when I find it in a security audit, and take it out when practical.  It is a prohibited service in many shops due to the exposure it creates.  

Can you send a command to the service without RUNRMTCMD?  

Sure.

You can use any rexec client to send a command to the service.  Rexec clients exist for just about every OS you can imagine (Google "rexec client xxxx" where xxxx is your OS of choice.).  There are also lots of rexec components available, and of course you can always write a program that speaks rexec protocol (http://www.private.org.il/mini-tcpip.faq.html#3.%20Of%20the%20rexec%20protocol.)

Can any computer send a remote command to this service?  

Yes, unless you filter somehow, like with a firewall or Windows IP filtering.  Plus you need to maintain this on every system that runs the service, creating quite a bit of admin overhead.

How?

Open a command prompt on your XP machine and type "rexec".  Every unix/linux derivative I've ever encountered has a rexec client.  Open up a 5250 session on any of your AS/400 / iSeries / System i systems and try "rexec" [F4].

If not rexecd, then what?

Ok, now that we know that rexecd is evil (ok that may be a bit harsh), what is a poor AS/400 technician to do when faced with the need to make Windows do something for you?

There are a lot of approaches that will work, but I'll confine myself to one suggestion here:  AS/400 Data Queue's

Use an AS/400 Data Queue (*DTAQ object) to pass command requests to a custom Windows (or Java) application that monitors the data queue, inspects the incoming request, and either executes it or rejects it based on whatever rules you choose to implement regarding "safe" commands.  If you want to get fancy, you can externalize the "rules", so that adding another permitted command or set of commands only requires a settings file change, and not a code change.  (I use regular expressions syntax for this, but that is another post.)  http://www.regular-expressions.info/

As long as you secure the AS/400 data queue object, and only allow specific processes to place entries on the queue, you can dramatically limit the exposure of unauthorized commands getting executed on your server or workstation.  The client-side code can provide significant further protection by stringently limiting the commands that can be executed to a "safe" subset.  

I select using a data queue for several reasons (although there are a plethora of other approaches that can be made to work just fine):

1) By securing access to write to the data queue, you can very strictly limit the AS/400 applications and user profiles that can cause remote commands to be executed on the Windows side.  This is much more difficult to do securely with Rexecd.

2) Reading and writing to and from data queues is very easy in native RPG, COBOL, and CL, .as well as on the client side in NET, legacy Microsoft languages, and Java.   Google "iseries data queue (language of your choice)" and you will find plenty of examples.  Here's one in .NET:

http://www.experts-exchange.com/Programming/System/AS_-_400/Q_21539797.html

3) The receiving Windows application can inspect and validate incoming requests, and only execute those that it deems to be valid or permitted.  You can't do that with Rexecd, you have to trust the sender to only send permitted commands (or you have to run under a Windows profile that only has permission to certain commands, and that can be a real admin challenge, especially if you are running on a bunch of workstations).  There is also no easy way to inspect or filter commands based on parameters in Rexecd, where you can easily do this in your own application.

4) iSeries Data queue service can be (probably should be) configured to run over SSL, so messages are encrypted.  Rexec service can also do this, so it is not a specific advantage, but I mention it because it is a great practice, especially if there is any chance now or in the future that commands containing user id, passwords, or confidential data will be exchanged.

5) If you need to receive incoming requests from multiple systems, you can either monitor multiple queues, or you can set up remote data queues on the additional systems that feed the master data queue on the central system.

Again, there are many, many approaches that will work, but I like this one from a security, stability, and ease-of implementation standpoint.  You can deploy it to servers or to workstations without creating the exposure created with Rexecd.

- Gary Patterson




0
 

Author Comment

by:cosmit
ID: 22799788
Gary

Thank you for your thoughtful answer.  You have answered several of my AS/400 questions in the past and without fail have been extraordinarily helpful.

0
 
LVL 34

Expert Comment

by:Gary Patterson
ID: 22800000
Recognize your handle.  Always happy to help.  Glad you find it useful.

- Gary
0
 
LVL 27

Expert Comment

by:tliotta
ID: 22800827
5) If you need to receive incoming requests from multiple systems, you can either monitor multiple queues, or you can set up remote data queues on the additional systems that feed the master data queue on the central system.

Just a minor comment (Gary has it handled fine)... Keep in mind that data queues can be "keyed" also. This can be used to identify targets if necessary -- multiple PC clients could watch for entries directed at them. Or used to identify sources, although the SenderId attribute could also be handy.

Design of the format of the entries can make data queues very flexible. And once in place, the extensibility is great.

Tom

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now