Jump to content

Protect provisioning admin


marsbewohner

Recommended Posts

Hello,

 

recently one of our users managed to reconfigure the provisioning admin on his phone, which we deployed via the Snom One. He did so by navigating on the phone to Settings/Network/Webserver/ and just changed the HTTP admin password.

 

How can we remove/protect this option, to avoid that the users will reconfigure their local phone? Especially as we rolled out a global http admin password via Snom One, how can he overwrite this locally if he does not know the one that we've rolled out via PNP?

 

At least the phone should ask for the current one before accepting a new one.

Link to comment
Share on other sites

It is indeed interesting that he could even log on. He should not be able to do that (thats the plan!). Are you keeping the provisioning files in the generated directory? There you can check what has been provisoned to the phone and if it contained the right password.

Link to comment
Share on other sites

Well, actually I do not delete them but the folder just contains a subfolder with the domain name and there another two with some old test extensions. The current active ones (+30) don't have its own folder. Should they?

 

But nevertheless the phones are working and provisioning too, I add about 1-2 per week. Also the custom provisioning admin name which I provided got installed on the phone, so he could change the specific account, knowing his name (or having it as user name exposed by the phone).

Link to comment
Share on other sites

You mean there is a loop hole so that the user could get from user login to admin login on the phone?

 

Anyway, I think the important part is that when the user reboots, the phone fetches the admin password again and hopefully than local changes that he might have done are overwritten.

Link to comment
Share on other sites

I'm not sure, he just managed to work it out. The phone just let him naviagte to the position I posted earlier, showed the custom name of the admin which we assigned to the http interface and changed the password locally.

 

From my understanding a) he should not be able to see the actual name of the adminuser and B) should not be able to change the password without knowing the current one.

 

So it looks like the phone is running in admin mode or he could just switch over from user to admin mode. I expect that the phone automatically switches to user mode after a reboot without any custom actions?

 

Regrading the \generated\%localdomainname%\ folder, should it contain a unique folder for every extension that is running on the Snom one?

Link to comment
Share on other sites

So it looks like the phone is running in admin mode or he could just switch over from user to admin mode. I expect that the phone automatically switches to user mode after a reboot without any custom actions?

 

Good point. I quickly checked the wiki for the phones, but could not figure out what the PBX needs to provision in order to have it in user mode.

 

Regrading the \generated\%localdomainname%\ folder, should it contain a unique folder for every extension that is running on the Snom one?

 

Yes, every extension should have its own folder.

Link to comment
Share on other sites

Good point. I quickly checked the wiki for the phones, but could not figure out what the PBX needs to provision in order to have it in user mode.

Ok, would be great if you or someone from your team could check this :) I would assume that the system automatically puts the devices in user mode after restarting.

 

Yes, every extension should have its own folder.

Thats interesting, what could cause the system not to have or create these folders? Host is a Windows 7 x86 plattform.

Link to comment
Share on other sites

Guest madigan

Unless you don't provision the phone to run in user mode, you will always be able to change both HTTP user name / password and the admin password.

 

I just don't understand how he could login to the webinterface in first place! Is the web interface protected at all? Have you configured HTTP user name and password in your provisioning file?

 

Good point. I quickly checked the wiki for the phones, but could not figure out what the PBX needs to provision in order to have it in user mode.

The provisioning file must contain the following entry:

 

<admin_mode perm="">off</admin_mode> (Default value is "on".)

Link to comment
Share on other sites

There is a setting in admin/pnp/general weather the PBX should write those files to the file system or to the log.

Ok, this is set to log, so it explains why there are no files.

 

Unless you don't provision the phone to run in user mode, you will always be able to change both HTTP user name / password and the admin password.

This something which should be vice versa by default, as all the other competitors have it.

 

I just don't understand how he could login to the webinterface in first place! Is the web interface protected at all? Have you configured HTTP user name and password in your provisioning file?

Yes it is, the http/provisioning admin is set in Snom One, and when I open any of the phones it asks me for the user/password on the http page. He simply worked around this by resetting the admin pw from the phone menu and logged in with that afterwards.

 

The provisioning file must contain the following entry:

<admin_mode perm="">off</admin_mode> (Default value is "on".)

Thanks, will add this!

Link to comment
Share on other sites

Guest madigan

This something which should be vice versa by default, as all the other competitors have it.

Good to hear that it will be added to the provisioning template then. If we would disable admin mode by default in the phones we would get flooded with support requests. ;)

 

He simply worked around this by resetting the admin pw from the phone menu and logged in with that afterwards.

But then he must have known the admin password too! In order to do a factory reset using the phone GUI you are forced to enter the admin password. And even if he somehow managed to reset the phone, it should have received its passwords through provisioning again. So I'm still wondering what exactly has happened..

Link to comment
Share on other sites

Good to hear that it will be added to the provisioning template then. If we would disable admin mode by default in the phones we would get flooded with support requests. ;)

Yes, changing that without announcing it could cause some troubles ;)

 

But then he must have known the admin password too! In order to do a factory reset using the phone GUI you are forced to enter the admin password. And even if he somehow managed to reset the phone, it should have received its passwords through provisioning again. So I'm still wondering what exactly has happened..

And that's the point, he did so without knowing or beeing asked for it. ;) The result was that he reconfigured something on the phone interface that caused the phone to be stuck for 2 days without any notice (had to reboot it to unfreeze it, but thats another thing). But as you wrote, thanks to the provisioning the phone reinitialized itself with the correct server based configuration during the restart, I just want to prevent that this happens again.

Link to comment
Share on other sites

Alright, so far we had the admin mode "on" by default. I think it make sense to change the default to "off". That way "user" get access to the phone in the "user mode". If they want to "administer" the phone, then either they have to be administrator or contact the administrator for the PIN (which is actually the Domain->Settings: Authentication PIN" value).

 

Also, if the system administrator decides that it is okay for his users to login to the phone as admins, then he can change the snom_3xx_phone.xml template file(for 3xx series phones). I think that is much easier than introducing another extension level parameter to control this behavior.

 

So the future PBX version will have <admin_mode perm="">off</admin_mode> in the template files.

Link to comment
Share on other sites

  • 2 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...