Page 1 of 1

NEMS Adagios exposes passwords on screen

Posted: Sat Dec 12, 2020 4:47 am
by Taomyn
Was diagnosing my first attempts to configure NEMS for my Windows servers when I saw to my amazement that my credentials are not protected:
Clipboard01.jpg
Clipboard01.jpg (7.08 KiB) Viewed 7853 times
I hid my private information in the shot but the password is there in clear text. I hope I'm not going to find this showing up more and more as I learn to configure and use NEMS.

Re: NEMS Adagios exposes passwords on screen

Posted: Sat Dec 12, 2020 6:07 am
by Marshman
Taomyn,
Thank you for posting this and many apologies. I have notified Robbie by direct message and I am sure he will fix this as soon as possible. Robbie has very high standards about security and he will most likely reply as well when he sees this.

Again, thank you for posting and trying NEMS.

Re: NEMS Adagios exposes passwords on screen

Posted: Mon Dec 14, 2020 1:30 pm
by Robbie Ferguson
Hi Taomyn,
When you configure your WMI user on your Windows host, you will configure it to only have access to WMI. That account should be a one-trick pony. Your screenshot clearly demonstrates why it is imperative that a user never enter their standard computer user credentials for a check with WMI.

As the administrator user of your NEMS Server, you can indeed see the credentials you have entered.

This is not a weakness in NEMS Linux specifically. This is by design of WMI and WMIC.

The key point to remember is that you are logged in to NEMS as the administrator user and therefore have access to private information such as this. A normal user on your network would not have access to this.

And I reiterate again: The WMI user on your Windows host must only have access to WMI components. This is a user you specifically configure on your Windows machine for WMI communications. Presumably, if you have configured WMI correctly, even if a malicious user on your network were to obtain the user login and password, they couldn't do much more with that then tell how much hard drive space you have free (for example).

This does raise our concerns about the dangers behind unknowing users "accidentally" entering something like administrator credentials for WMI checks, and therefore we will work on further strengthening the instructions regarding WMI user creation in the NEMS Documentation in an effort to keep users safe from potentially risky situations (such as using a Windows user account with admin access to access WMI).

Cheers!
Robbie // The Bald Nerd