Understanding CiscoWorks2000 Security

• UNIX Systems---CiscoWorks2000 must be installed by a user with root privilege and is installed as the user bin. All files and directories are owned by bin with group also equal to bin. Temporary files are created as the user bin with permissions set to "read-write" for the user bin and "read" for members of group bin. The only exception to this rule is the log files created by the CiscoWorks2000 web server and diskwatcher. The CiscoWorks2000 web server and diskwatcher must be started as "root," therefore, their log files are owned by the user root with "group=bin."

• Windows NT Systems---CiscoWorks2000 must be installed by the administrator and is installed as the user bin. The user bin is created at install time and given a random password.

Caution Do not change the user bin password. If you change it, some important CiscoWorks2000 services will not operate correctly.

The CiscoWorks2000 Server uses the password but the bin user is never intended as a general user of the Windows NT system. No user is ever required to log on the Windows NT system as bin. All files and directories are owned by the user bin. Read and write access are restricted to the user bin and the administrator. Temporary files are created as the user bin with permissions set to read-write for the user bin. The CiscoWorks2000 Server relies on the security mechanisms of the NTFS filesystem to provide access control on Windows NT systems. If CiscoWorks2000 is installed on a FAT filesystem, most security assumptions made about controlled access to files and network management data are not valid.

• UNIX Systems---Typically CiscoWorks2000 back-end processes are executed with permissions set to the user ID of the binary file (for example, if user "Joe" owns an executable file, it will be executed by the CiscoWorks2000 daemon manager under the user ID of "Joe"). The exception are files owned by the root user ID. To prevent a potentially harmful program from being executed by the daemon manager with root permissions, the daemon manager will execute only a limited set of CiscoWorks2000 programs that need root privilege. This list is not documented to preclude any user from trying to impersonate these programs.

All back-end processes are executed with a umask value of 027, which means that all files created by these programs are created with permissions equal to "rwxr-x," with an owner and group of the user ID and group of the program that created it. Typically this will be "bin" and "group=bin."

CiscoWorks2000 foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web server's children processes or the servlet engine which all run as the user bin.

CiscoWorks2000 uses standard UNIX tftp and rcp services. CiscoWorks2000 also requires that user bin have access to the directories that these services read and write to.

The CiscoWorks2000 Server must allow the user bin to run "cron" and at jobs to enable the Resource Manager Essentials Software Management application to run image download jobs.

• Windows NT---CiscoWorks2000 back-end processes are executed with permissions set to the user bin. Some of the special CiscoWorks2000 Server processes are run as a Windows NT service under the "localsystem" user ID.

These processes include:

• Daemon manager

• Web server

• Servlet engine

• Rcp/rsh service

• Tftp service

• Corba service

• Database engine

CiscoWorks2000 foreground processes (typically cgi-bin programs or servlets) are executed under the control of the web server and the servlet engine which all run as the user localsystem. The localsystem user has special permissions on the local Windows NT system but has no network permissions.

CiscoWorks2000 provides several services for RCP, TFTP communication with devices. These services are targeted for use by CiscoWorks2000 applications, but can be used for purposes other than network management.

The CiscoWorks2000 Server uses the at command to run software update jobs for the Resource Manager Essentials Software Image Manager application. Jobs run by the at command run with system level privileges.

• UNIX Systems---The CiscoWorks2000 daemon manager only responds to requests to start, stop, register, or show status for CiscoWorks2000 back-end processes from the CiscoWorks2000 Server.

• Windows NT Systems---The CiscoWorks2000 daemon manager only responds to requests to start, stop, register, or show status for CiscoWorks2000 back-end processes from the CiscoWorks2000 Server.

• UNIX Systems---Systems used by the CiscoWorks2000 Server as remote sources of device information for importing into the Resource Manager Essentials Inventory Manager application, must allow the user bin to perform remote shell operations on the user that owns the device information.

• Windows NT Systems---Systems used by the CiscoWorks2000 Server as remote sources of device information for importing into the Resource Manager Essentials Inventory Manager application, must allow the user bin to perform remote shell operations on the user that owns the device information.