johnhiro007
asked on
Need to block software company tech support back door
Hello,
We have an issue with a client's software company. They purchased a large piece of software that they run their entire business through. It is accessible both internally and externally. It runs on a dedicated server (2008 Standard Server and SQL), and the internal application for the office uses a .net application. It uses IIS for the public facing portals. Their patients connect to it to view personal account information through a web portal, and the doctors can connect to it remotely to see their schedule, business metrics, etc.
The problem is we have discovered that the software company has built in a back door to their software. They have a super user account, which my clients admin account cannot disable or even see. After the software company admitted they had this back door, which they say is only for support purposes, they say there is no way they can disable themselves from having access to it. My client is not only concerned about their sensitive patient data, but there have even been issues with that software companys techs logging in a changing things, causing problems.
The client has asked for some way they can block the software company, and only allow their patients and doctors to access the system remotely. They already have a Sonicwall router.
Therefore, I ask you for solutions that would allow the client to block the software company. I would imagine a firewall could be configured to block all outside access, except for specifc IP addresses, which could work for doctors, but the patients would come from any number of dynamic IP addresses, so I'm not sure if someone has a solution there. Or how about a double authentication system; where people from the outside have to have permission at the router level, then if authenticated, they could access the IIS side of the program? Or any other ideas you might have....
Thanks for all your help in advance!
We have an issue with a client's software company. They purchased a large piece of software that they run their entire business through. It is accessible both internally and externally. It runs on a dedicated server (2008 Standard Server and SQL), and the internal application for the office uses a .net application. It uses IIS for the public facing portals. Their patients connect to it to view personal account information through a web portal, and the doctors can connect to it remotely to see their schedule, business metrics, etc.
The problem is we have discovered that the software company has built in a back door to their software. They have a super user account, which my clients admin account cannot disable or even see. After the software company admitted they had this back door, which they say is only for support purposes, they say there is no way they can disable themselves from having access to it. My client is not only concerned about their sensitive patient data, but there have even been issues with that software companys techs logging in a changing things, causing problems.
The client has asked for some way they can block the software company, and only allow their patients and doctors to access the system remotely. They already have a Sonicwall router.
Therefore, I ask you for solutions that would allow the client to block the software company. I would imagine a firewall could be configured to block all outside access, except for specifc IP addresses, which could work for doctors, but the patients would come from any number of dynamic IP addresses, so I'm not sure if someone has a solution there. Or how about a double authentication system; where people from the outside have to have permission at the router level, then if authenticated, they could access the IIS side of the program? Or any other ideas you might have....
Thanks for all your help in advance!
Last Comment
ASKER
edster9999:
They have demanded, and the software company says that there is nothing they will do. The client has too much invested to just go to another software package at this point. Therefore that brought us to the conclusion that we need to implement full control access. Even if the software company said their access is disabled, there is NO way we can even verify that as being true. (And at this point, I have no reason to trust their statements or ability to properly implement standard security)...
They have demanded, and the software company says that there is nothing they will do. The client has too much invested to just go to another software package at this point. Therefore that brought us to the conclusion that we need to implement full control access. Even if the software company said their access is disabled, there is NO way we can even verify that as being true. (And at this point, I have no reason to trust their statements or ability to properly implement standard security)...
It would help if they need to access a certain page to access the software. You could set a .htaccess file in the folder to block all incoming access attempts.
Don't rely on a fixed IP, if they want they could manage the software also from a dynamic IP. If you run yourself a DNS server you could invalidate their company firewall names. Any outgoing transmission requiring a DNS resolution would go to 127.0.0.1 then.
In should we need more details how the superuser access the software to give additional hints.
Just stay away from double-authentication for the clients. As said, this is not fool-proof and your helpdesk will not be amused...
Tolomir
Don't rely on a fixed IP, if they want they could manage the software also from a dynamic IP. If you run yourself a DNS server you could invalidate their company firewall names. Any outgoing transmission requiring a DNS resolution would go to 127.0.0.1 then.
In should we need more details how the superuser access the software to give additional hints.
Just stay away from double-authentication for the clients. As said, this is not fool-proof and your helpdesk will not be amused...
Tolomir
Go public. Release details to other people who use this software
ASKER
Because the the scope of the software companies' backdoor is unknown, we wanted to get our protection and control in place before going public and getting very nasty... we don't want them creating another back door, retaliating somehow, etc.
Regarding their backdoor access; the problem is we don't know the full scope. We do know that they can login to the doctor portal with their superuser account, just using Internet Explorer only. The .net application that the internal users have on their computers can also be installed on any outside workstation/laptop too; since the software on both sides is configured to get to the server the same way: softwarename.xxxxxxxxx.com
Tolomir: why stay away from double authentication. I understand the hassle, but if that is the only viable solution, then it should be discussed, right?
Regarding their backdoor access; the problem is we don't know the full scope. We do know that they can login to the doctor portal with their superuser account, just using Internet Explorer only. The .net application that the internal users have on their computers can also be installed on any outside workstation/laptop too; since the software on both sides is configured to get to the server the same way: softwarename.xxxxxxxxx.com
Tolomir: why stay away from double authentication. I understand the hassle, but if that is the only viable solution, then it should be discussed, right?
Your best option is to push the software vendor first, and hard.
If you can't get any satisfaction from the software vendor on your own, you may want to look into the HIPAA regs, and contact a lawyer specializing in HIPAA or even DHHS directly. Inform the software vendor that you're doing this, and that may be enough to spur them into action.
I'd also start checking the log files carefully for login activity. If you note any "unauthorized" access, you can contact local police and FBI. I believe that under current regulations, any unauthorized system access is labeled as a criminal act. Let the software vendor know about this in writing (official notice), and that your client will pursue legal action against them for unauthorized access.
Due to the sensitive nature of medical records and scheduling, I would definitely recommend implementing dual form factor logins.
If you can't get any satisfaction from the software vendor on your own, you may want to look into the HIPAA regs, and contact a lawyer specializing in HIPAA or even DHHS directly. Inform the software vendor that you're doing this, and that may be enough to spur them into action.
I'd also start checking the log files carefully for login activity. If you note any "unauthorized" access, you can contact local police and FBI. I believe that under current regulations, any unauthorized system access is labeled as a criminal act. Let the software vendor know about this in writing (official notice), and that your client will pursue legal action against them for unauthorized access.
Due to the sensitive nature of medical records and scheduling, I would definitely recommend implementing dual form factor logins.
I agree with the above, but if this is running in IIS do you see any bindings with non standard ports being used? If connecting using http but they might be using non standard ports for remote administration. Also on the local server you can use the local firewall to lockdown all ports but required ports. This would help narrow down how they can remotely access the application.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
moonie42: Thanks for the suggestion. However, like I previously mentioned, there is no way to verify the backdoor is closed, or that a new one was not created, so it does not make sense to push them as they can simply say: Its fixed.
alreadyinuse: How do I check other ports being used? I can tell you that we only have http and https ports configured in the sonicwall to be forwarded into the clients server. So it seems as if that would be the only way they can get in?
Irmoore: They currently have a sonicwall tz-180, can this do the double authentication you are describing? If not, can you suggest a decent SMB device that would do what is needed?
Thanks!
alreadyinuse: How do I check other ports being used? I can tell you that we only have http and https ports configured in the sonicwall to be forwarded into the clients server. So it seems as if that would be the only way they can get in?
Irmoore: They currently have a sonicwall tz-180, can this do the double authentication you are describing? If not, can you suggest a decent SMB device that would do what is needed?
Thanks!
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Irmoore: Thank you for your information. I'll have to research viable hardware routers for SSL VPN.
Everyone else: does anyone have any other possible suggestions/alternatives, or known experience w/ the Sonicwalls?
Thanks!
Everyone else: does anyone have any other possible suggestions/alternatives, or known experience w/ the Sonicwalls?
Thanks!
ASKER
I do not think the question should be deleted. A solution looks to be an SSL VPN, but I was waiting for someone to speak up that has specific experience with the Sonicwall's or other solutions all together. Is there a way to get another round of people re-evaulating the original question? If not, I guess I should just accept an answer about the SSL VPN and close the question?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
digitap:
GVC says: Licensed - 1 license (0 in use)
OS: SonicOS Standard.
Regarding some solution to address the 'reach out and touch' type access; is there a method to track/log outgoing connections, then determine what they use, and lock that down? In other words, have them log into the server remotely how they normally do, then somehow monitor that activity, which would tell us the outoing connection info, ip address, etc, then use that info to create a rule in the firewall to block it going forward?
GVC says: Licensed - 1 license (0 in use)
OS: SonicOS Standard.
Regarding some solution to address the 'reach out and touch' type access; is there a method to track/log outgoing connections, then determine what they use, and lock that down? In other words, have them log into the server remotely how they normally do, then somehow monitor that activity, which would tell us the outoing connection info, ip address, etc, then use that info to create a rule in the firewall to block it going forward?
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
This question now has activity, it does not need to be deleted.
ASKER
Digitap:
1) Regarding GVC: Those licenses are about $40 each, so giving them out to everyone, including patients would be expensive... Is this what you were suggesting though?
2) Regarding reporting/conrtol: Would a TZ100 be better than the TZ180 for what is needed?
2) Regarding external access: The software was installed remotely by the software company, and part of its functionality is for any joe schmo patient to access the system, so I'm not sure a VPN for everyone is viable...
Thanks!
1) Regarding GVC: Those licenses are about $40 each, so giving them out to everyone, including patients would be expensive... Is this what you were suggesting though?
2) Regarding reporting/conrtol: Would a TZ100 be better than the TZ180 for what is needed?
2) Regarding external access: The software was installed remotely by the software company, and part of its functionality is for any joe schmo patient to access the system, so I'm not sure a VPN for everyone is viable...
Thanks!
ASKER
Sorry, on my last post, the second number 2 should be a 3.
1. yes, that would be expensive.
2. the tz100 would be enhanced OS and would give you better control.
3. a vpn may not be the best option here. so, to clarify, is this an EMR solution? how many server components are we talking about? for instance, one web server and one database server?
the reason for the questions are, i'm thinking about best practice. if you deploy a web server, then you deploy it in a DMZ, then all other servers go on your LAN. if the web server needs access to internal servers (i.e., SQL), then you open ports ONLY for SQL and ONLY to that server. then, if the support logs onto the web server, they don't have access to your entire network just because they have access to the web server.
either way, you could still put all their servers into a DMZ. get good backups. if they get in, then you can control their access to your other servers and devices.
2. the tz100 would be enhanced OS and would give you better control.
3. a vpn may not be the best option here. so, to clarify, is this an EMR solution? how many server components are we talking about? for instance, one web server and one database server?
the reason for the questions are, i'm thinking about best practice. if you deploy a web server, then you deploy it in a DMZ, then all other servers go on your LAN. if the web server needs access to internal servers (i.e., SQL), then you open ports ONLY for SQL and ONLY to that server. then, if the support logs onto the web server, they don't have access to your entire network just because they have access to the web server.
either way, you could still put all their servers into a DMZ. get good backups. if they get in, then you can control their access to your other servers and devices.
ASKER
2) Does getting an SSL VPN make sense in this case (and are licensed by concurrent users, rather than by the number of user accounts?)
3) Its not really a total EMR solution, more of a place patients can verify schedules, account balances, and Dr's can see their schedule. They have two servers; 1st is SBS 08/Domain Controller, that we have full control over. 2nd is this server that only has their software. The staff access it internally, and of course the external access is what we have been talking about. Its an 2008 standard server w/ SQL. It uses IIS.
3) Its not really a total EMR solution, more of a place patients can verify schedules, account balances, and Dr's can see their schedule. They have two servers; 1st is SBS 08/Domain Controller, that we have full control over. 2nd is this server that only has their software. The staff access it internally, and of course the external access is what we have been talking about. Its an 2008 standard server w/ SQL. It uses IIS.
2. how many users are you anticipating? the TZ100 only allows 10 concurrent users.
3. ok...good, you can draw a distinct line between your two servers. i'd put their server in a DMZ. doesn't necessarily need to be a DMZ in a traditional sense where the server has a public IP address. rather, you'd put it on a different subnet and zone so you can set firewall access rules between your two networks. you'd have to determine what ports would need to be opened. since the SQL database is on the IIS, you may only need to allow 443/80 access from your LAN.
3. ok...good, you can draw a distinct line between your two servers. i'd put their server in a DMZ. doesn't necessarily need to be a DMZ in a traditional sense where the server has a public IP address. rather, you'd put it on a different subnet and zone so you can set firewall access rules between your two networks. you'd have to determine what ports would need to be opened. since the SQL database is on the IIS, you may only need to allow 443/80 access from your LAN.
ASKER
2) More than 10, so is that where an SSL VPN like the SSL VPN 200 comes in?
3) Regarding the separating of the two servers as you are describing; here is additional details which may need to be considered. This 2nd server, logs in using a domain account to the primary server. The 2nd server is also able to communicate with exchange on a low level; as it can add appointments to users outlook calendars and can send out email alerts through the first server. So I'm concerned about cutting that communication channel off... But from what I'm understanding you are saying, if the two servers can be put on different subnets, the router can then have differnet rules for each one (in other words, the router/firewall cannot have rules per specific IP?)
3) Regarding the separating of the two servers as you are describing; here is additional details which may need to be considered. This 2nd server, logs in using a domain account to the primary server. The 2nd server is also able to communicate with exchange on a low level; as it can add appointments to users outlook calendars and can send out email alerts through the first server. So I'm concerned about cutting that communication channel off... But from what I'm understanding you are saying, if the two servers can be put on different subnets, the router can then have differnet rules for each one (in other words, the router/firewall cannot have rules per specific IP?)
2. yes. you'll want an ssl-vpn appliance to handle that traffic. also, with the ssl-vpn, you can setup bookmarks. when the client connects to the ssl-vpn, you can have it launch the website automatically.
3. i don't think that's possible within the zone. when hosts are on the same subnet, they don't have to go through the sonicwall as they are aware of other hosts on the same subnet. typically, hosts don't talk to the gateway (sonicwall) unless they are unable to resolve the route to a host.
it sounds like the relationship between the two servers is enough that control would be highly complicated...in that knowing which ports to open is almost prohibitive. controlling at the point of entry (ssl-vpn) is really the only method you have for control.
3. i don't think that's possible within the zone. when hosts are on the same subnet, they don't have to go through the sonicwall as they are aware of other hosts on the same subnet. typically, hosts don't talk to the gateway (sonicwall) unless they are unable to resolve the route to a host.
it sounds like the relationship between the two servers is enough that control would be highly complicated...in that knowing which ports to open is almost prohibitive. controlling at the point of entry (ssl-vpn) is really the only method you have for control.
ASKER
2) The SSL-200 seems to be old now, is it still relavent/current or what would be the best/easiest SSL VPN?
2b) Does each user have to have a $40 license even with the SSL-VPNs? If so, is there ways to license by concurrent users rather than named users?
Thanks!
2b) Does each user have to have a $40 license even with the SSL-VPNs? If so, is there ways to license by concurrent users rather than named users?
Thanks!
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Microsoft IIS Web Server
IIS is Internet Information Services, the web server included with Windows Server operating systems. All current versions are built on a modular architecture; modules can be added or removed individually so that those required for specific functionality are installed. The full installation of IIS includes HTTP, security, content, compression, caching, logging and diagnostics.
36K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
It would be far better to tell the company that you DEMAND an update with this login disabled.
If they say no then let them know for security reasons you will be letting the other medical teams that use this software know (which maybe you should do anyway)