[wsas-java-dev] Security improvements to WSAS
Samisa Abeysinghe
samisa at wso2.com
Sun Feb 4 21:39:19 PST 2007
James Clark wrote:
> On Mon, 2007-02-05 at 10:57 +0530, Afkham Azeez wrote:
>
>> We need to force the Admin user to change the default password the first
>> time he tries to login, since there is a possibility someone may forget
>> to change this when WSAS is used in production.
>>
>
> If the Admin user has not yet logged in, what IP addresses is WSAS
> listening on? Is there a window of vulnerability between
>
> - the time when WSAS is installed and
> - the time when the Admin user changes the default password
>
> during which somebody unauthorized can log in using the default password
> from any IP address that can reach the WSAS machine? If so, then perhaps
> we need a better scheme.
>
> It's tough to get the initial setup to be both secure and convenient.
>
Why should the initial setup be that secure? I do not think anyone would
deploy the initial setup in a production environment.
Samisa...
More information about the Wsas-java-dev
mailing list