Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Neo-legacy applications SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Neo-legacy applications
>>Many of these apps date back to more innocent times. At least one accounting package I had to support was an old MS-DOS BTRIEVE database app thinly wrapped in a Windows UI.

There is probably a lot to this actually. There are probably a lot of legacy applications out there that are masquerading as something modern and uptodate. Nobody really understands how they work any more, so the tendency is to not make changes unless you absolutely have to..


43 Posts
Custom applications written by government contractors have been getting a lot better in this regard in recent years. Where I work they're being written and updated to run under the Standard Desktop Configurations and must receive regular C&A examination to renew their authority to operate/connect. It's not a perfect process, but custom applications are getting a lot better.

5 Posts
"Applications that require users to be in the local admins group on the local workstation."

Yep, we got some of those. I shudder every time I think about it.
You get the same with "Araldite Inc." and their famous resin. They can warrant that it was manufactured properly, but they do not warrant that your joint will hold your shelf up.

To get a warranty on the joint, an Araldite engineer would have to visit your house, make the joint, insure against the possibility of a fault, and so on. Possible but extremely expensive and the market would be small.

So you do need a division between "your business" and "your vendor's business".

Security is a user management responsibility. You can buy in 'security' from vendors, but still the buck stops with the management of the business that uses the product.

Not sure it can be otherwise.
Two more vendor absurdities:
<p>One vendor said they will only support their product on IIS WITH ALL DEFAULTS. Any changes and they will not support the product.
<p>One vendor MANDATED that the MSSQL SA password be blank, which is how slammer worked. Very funky router rules and monitoring were needed to keep reseting the app until the vendor patched it.

11 Posts
In Canada there are effectively two software suites that are used for pharmacies (the "highly confidential information" being client data and medical histories). The one I've set up several times (I was not consulted prior to the five-figure sale) required local Administrator privileges, required the folder containing the software be marked Everyone/Full Control, required that the MS-SQL 'sa' user have no password, and that several per-workstation values for locking down DCOM be disabled. I wasn't happy, and I did my best to make the client understand how astronomically bad this was.

They also had no understanding of standard network isolation techniques, using a machine with two network cards as a gateway/router. The most complicated setup they have ever used was two workstations, one pretending to be a server. And yes, they did blame legitimate software support issues on the hardware setup, or slightly restricted permissions.

As an aside, the software was written using Delphi 10. I can tell these things. (I like Delphi. I don't know what these guys were smoking, though. ;)

Hell, I'll name 'em, as none of my current clients use the software any more: A painful time in my sysadmin life.

11 Posts
@Tisiphone, try an environment where you have a system, but there's an enterprise solution for patching, antivirus, hids, log managment, forensics, and local system policies. All of these "solutions" run agents and require system privileges. And they're all owned by other groups. So instead of decreasing the amount of administrators to a system, you're multiplying them and distribiting them among other organizations. You're no longer the owner of your own system. :(
12 Posts

Sign Up for Free or Log In to start participating in the conversation!