Ned, fair points. For #1 it's a limited access computer, but Epicor is on - it just requires logging in, something few users do. Those users know their Epicor password.
For #2, we use a naming scheme for new users, it's pretty easy to figure out a new hires login name. This is the name that's used in change logs, so it's critical it be 'decipherable' by the average user. While I get your work around, that's pretty annoying to have to do considering 95% of the users will never touch that login again. That being said there's a decent chance this will be how we go....I was hoping for some method of defaulting to expired on creation. Maybe a BPM is an option...I'll have to play with it.
Thanks for the feedback,
Ken
________________________________
From: vantage@yahoogroups.com [vantage@yahoogroups.com] On Behalf Of Ned [TechnoBabbly@...]
Sent: Tuesday, January 08, 2013 4:16 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] Potential Security Issue
2 things...
1- Even if it is a public computer, you can still require single sign on,
this would just mean that someone would need to log onto the computer with
their domain username and ID first. If these computers are always logged on
with some generic user ID, that in and of itself is a security hole for you
as well in my opinion, and potentially a larger one than the epicor password
being blank.
2- No one should technically know a new users username at any given time
unless they created it because it's probably a new employee. Most people
aren't going to know a new employee right away, that should be part of
initial training and introduction to your system. Have them login and update
their password after you create the user(same as you would for their domain
password), just leave them as disabled when you create them if their
training isn't for some later date and you happen to be ahead on your work
queue, although not sure how many people are ever that far ahead. Make it
part of the introduction training and paper signing that they are likely to
do when they show up for their first day or work, or if that's handled
before their actual first day.
----------------------------------------------------------
From: vantage@yahoogroups.com<mailto:vantage%40yahoogroups.com> [mailto:vantage@yahoogroups.com<mailto:vantage%40yahoogroups.com>] On Behalf Of
Ken Williams
Sent: Tuesday, January 08, 2013 1:17 PM
To: Epicor9 Discussion List; Vantage Discussion List;
vantage@yahoogroups.com<mailto:vantage%40yahoogroups.com>
Subject: [Vantage] Potential Security Issue
We are on 9.05.700C and I stumbled upon a security issue that may affect
multiple companies, so I wanted to bring it up so you could take steps to
protect against it.
We use single sign-on, it works great, we love it. The security issue is
when we create new accounts in Epicor, since no password is set at that
stage, I can simple change my user within the client, put in their userID
without a password and login.
Here's potential workarounds, I'd love to hear if anyone has any others:
* Check "expire password" at user creation - unfortunately this does not
work, the password doesn't mark expire (at least in 700c)
* Login a couple of times as the new user after creating them, using up
there 3 "free" logins - this does work, the account can then no longer be
logged into because the password is expired (this will be our process for
now)
* Change default settings to expire every password - not sure you can, would
love this option if possible
* Change default settings to disable login if single sign-on is enabled - I
think this is what "require single sign-on" does. This won't work for us, as
some machines are public and we want people to login as themselves to Epicor
on these machines, but single sign-on on their desktops
Any other thoughts or suggestions for this would be welcome, Ken
[Non-text portions of this message have been removed]
------------------------------------
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/linksYahoo! Groups Links
[Non-text portions of this message have been removed]
For #2, we use a naming scheme for new users, it's pretty easy to figure out a new hires login name. This is the name that's used in change logs, so it's critical it be 'decipherable' by the average user. While I get your work around, that's pretty annoying to have to do considering 95% of the users will never touch that login again. That being said there's a decent chance this will be how we go....I was hoping for some method of defaulting to expired on creation. Maybe a BPM is an option...I'll have to play with it.
Thanks for the feedback,
Ken
________________________________
From: vantage@yahoogroups.com [vantage@yahoogroups.com] On Behalf Of Ned [TechnoBabbly@...]
Sent: Tuesday, January 08, 2013 4:16 PM
To: vantage@yahoogroups.com
Subject: RE: [Vantage] Potential Security Issue
2 things...
1- Even if it is a public computer, you can still require single sign on,
this would just mean that someone would need to log onto the computer with
their domain username and ID first. If these computers are always logged on
with some generic user ID, that in and of itself is a security hole for you
as well in my opinion, and potentially a larger one than the epicor password
being blank.
2- No one should technically know a new users username at any given time
unless they created it because it's probably a new employee. Most people
aren't going to know a new employee right away, that should be part of
initial training and introduction to your system. Have them login and update
their password after you create the user(same as you would for their domain
password), just leave them as disabled when you create them if their
training isn't for some later date and you happen to be ahead on your work
queue, although not sure how many people are ever that far ahead. Make it
part of the introduction training and paper signing that they are likely to
do when they show up for their first day or work, or if that's handled
before their actual first day.
----------------------------------------------------------
From: vantage@yahoogroups.com<mailto:vantage%40yahoogroups.com> [mailto:vantage@yahoogroups.com<mailto:vantage%40yahoogroups.com>] On Behalf Of
Ken Williams
Sent: Tuesday, January 08, 2013 1:17 PM
To: Epicor9 Discussion List; Vantage Discussion List;
vantage@yahoogroups.com<mailto:vantage%40yahoogroups.com>
Subject: [Vantage] Potential Security Issue
We are on 9.05.700C and I stumbled upon a security issue that may affect
multiple companies, so I wanted to bring it up so you could take steps to
protect against it.
We use single sign-on, it works great, we love it. The security issue is
when we create new accounts in Epicor, since no password is set at that
stage, I can simple change my user within the client, put in their userID
without a password and login.
Here's potential workarounds, I'd love to hear if anyone has any others:
* Check "expire password" at user creation - unfortunately this does not
work, the password doesn't mark expire (at least in 700c)
* Login a couple of times as the new user after creating them, using up
there 3 "free" logins - this does work, the account can then no longer be
logged into because the password is expired (this will be our process for
now)
* Change default settings to expire every password - not sure you can, would
love this option if possible
* Change default settings to disable login if single sign-on is enabled - I
think this is what "require single sign-on" does. This won't work for us, as
some machines are public and we want people to login as themselves to Epicor
on these machines, but single sign-on on their desktops
Any other thoughts or suggestions for this would be welcome, Ken
[Non-text portions of this message have been removed]
------------------------------------
Useful links for the Yahoo!Groups Vantage Board are: ( Note: You must have
already linked your email address to a yahoo id to enable access. )
(1) To access the Files Section of our Yahoo!Group for Report Builder and
Crystal Reports and other 'goodies', please goto:
http://groups.yahoo.com/group/vantage/files/.
(2) To search through old msg's goto:
http://groups.yahoo.com/group/vantage/messages
(3) To view links to Vendors that provide Vantage services goto:
http://groups.yahoo.com/group/vantage/linksYahoo! Groups Links
[Non-text portions of this message have been removed]