cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Security: stop using WindchillDS Admin Account for Apache authentication

Security: stop using WindchillDS Admin Account for Apache authentication

Windchill's apache server only needs to check supplied user credentials against the WindchillDS LDAP server; there is no need to use the WindchillDS Administrator account to do this, it should be performed by a lower privileged "Read Only" account.


If the Admin credentials are compromised it is a simple matter to change the wcadmin password and then login through the Windchill UI as wcadmin and have complete access to the system and its data.


In my experience, you should always use the lowest privileged account possible in this sort of situation, especially if the credentials are hard-coded in plain text in the Apache auth config files.

You can obviously do this yourself manually on your own systems but this should be the default config from PTC as far as I am concerned.

Rgds

Gary


1 Comment
olivierlp
Community Manager
Status changed to: Archived

Hello,

We are archiving your idea as part of a general review. This action is based on the age of your idea and the total number of votes received, as per this announcement.

You can always post a new idea with all the details required in the form.

Thank you for your participation.