cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Security and URL attachement

Highlighted
Pearl

Security and URL attachement

Recently I've noticed one of our regions is adding (on the Content Tab) URLs to outside websites.  Since we are a cloud based system, I am extremely concerned about that site being an opening into our system.  Which makes me wonder about a couple questions.

1. Has anyone experienced anything like a security breach via an external URL link? 

2. What is the easiest way to restrict people from adding URLs to WTParts or WTDocuments?  

James  

Windchill 11.0 M030 CPS08

URL.png

 

6 REPLIES 6

Re: Security and URL attachement

I am not sure if this will allow you to do it but did you try creating a rights policy for URLDefinition?  It's a sub-type of WTObject.

Re: Security and URL attachement

@STEVEG   I discovered that I can shut down all URLs in Windchill that point to external sites.  On Page 315 of Windchill Customization Guide (11.0 M030 June 2017 Document Version 11.03.01) I discovered the following. 

It looks like it will do what I'm thinking, however I'm not quite sure just yet I want to turn them off completely.   According to the PTC tech I talked to, any previous URLs would simply not work if I did this. I'm just not sure what sort of security hazard external links might be.
James

Remove_URL.png

Re: Security and URL attachement

Nice find.

Re: Security and URL attachement

Thanks @STEVEG    I'm still very curious about the risk with external links like this.  Am I over blowing the situation?

 

James

Re: Security and URL attachement

I am not sure if there is anyone that can definitively one way or the other.

Re: Security and URL attachement

Our Cyber Security person asked these questions.  I think I'll create a PTC ticket and ask them.

 

Since you are adding several URLs to various external sites it is important to check :

 

  1. External website is linked to the Windchill webpage in such a way that it does not share any authentication credentials.
  2. HTTP session details should not be shared with the external sites.
  3. Confirm with Windchill that their HTML source code is secured from HTML injection attack.