Protection about hacking 1С:Предприятие in the organisation performing design works
Features of application 1C:Enterprise in the company which are carrying out projects under “a key” first, rather high value stored the data, secondly, necessity of remote work with a database, thirdly, a data storage about all versatile works executed within the limits of performance of the project under as a rule is “key” in one place. Therefore database protection 1C:Enterprise for the system administrator of the design organisation which are carrying out projects under “a key” is actual. Статьи
Let's consider breaking and protection methods 1C:Enterprise in the local and network version.
Breaking usually consists of 2 stages. The first stage is abduction of base by the copying method, the second stage is the analysis of the stolen base. For copying of base the user usually uses regular means Windows of type Explorer with which help copies on a diskette base DBF-files.
As a rule, the analysis make in Excel.
It is necessary to notice that the given method of breaking cannot be counteracted, using program decisions in language 1C. The thief does not need to crack passwords and to bypass the program, it gets access to the data at once by 1C. It is the important comment rather “a kindergarten” in protection 1C. I had to meet charlatans who suggest to make “a lotion” in a configuration 1C for “100% of protection”. These are simply lost money, protection should cover the data.
Let's pass now to protection. A situation heavy: the database 1C is not ciphered, stored in a known format, to close access of users to it it is impossible, since they with it work. It is possible to try to impose on files of base attribute hidden, but understand it protection only from the fool. If for you 1C works under Windows NT (Windows 2000, Windows XP) it is possible to close from updating by users a configuration and a file of passwords, but given not to close. It is possible to enter draconian rules of work and to withdraw disk drives from users. However users can send the stolen base by mail, to analyse it on a place without carrying out from firm or simply to come with Notebook or the disk drive.
Reliably protect the base from even novice users to this version is virtually impossible.
Let's consider breaking and protection methods 1C:Enterprise for the Terminal Server.
Microsoft Terminal Server has the deserved reputation of the good decision if with 1C and 5-10 users work for many bad computers. In case of use of the terminal the user works with the program not by the car, and on a terminal server. The user the program through a special window of the terminal operates. The terminal is convenient that allows to work 1C by weak and old cars. Other aspect of the terminal is possibility to raise safety 1C. Safety increase does not occur automatically to terminal installation, adjustment, and serious is required. The sense of adjustment consists what to hide on the terminal from the user of means of copying of files and to allow to it to work only with 1C. If the terminal is adjusted correctly after registration the user appears at once in 1C, we and will consider such variant.
The confidence of many managers of reliability of protection MS Terminal Server only facilitates a problem. Base breaking under the terminal also usually consists in copying of base and its subsequent analysis. If the analysis as a whole becomes also copying of base demands there is nobody stuntings from the user. The first that the burglar checks, it that the manager has faked in terminal adjustment. Start 1C at terminal start can be adjusted on the client and on a server. On the client to adjust easier and the majority of managers go such way. For autostart removal 1C from the client it is required to enter in Client Connection Manager, to come into properties of connection and to clean a tick “Start the following program”. After that the burglar enters into the terminal, but gets not in 1C, and on Desk Top and copies base.
If the manager has well worked over safety then can work one of following methods. It having appeared in 1C, the user presses Ctrl+O or Ctrl+S, there is a window of inquiry of a file. Into a file name enter *.DBF, then pass in the base catalogue 1C, allocate it, keeping key Shift, and copy in Clipboard having pressed Ctrl+Ins. Then thumb through in a window catalogues upward yet will not find Network Neighborhood (the Network environment). Usually open on a network the car and I copy base on its network folder having pressed Shift-Ins. The network folder can be created and on the disk drive through bookmark Sharing in properties of a folder of a diskette.
Except the given way the user can, using semidocumentary possibilities 1C to make the following: to start from 1C far off file-manager Far, to start a special configuration or the report 1C., which secretly copy base, to force itself 1C to copy base, through commands manually.
Network listening. Many feed illusion of that to the information which transfers the terminal on a network not to hear. To pull out from the terminal report what password in 1C the user an elementary problem if it is used become outdated Windows NT Server Terminal Edition (STE) types.
We have already mentioned some actions for protection, considering an attack. The first that needs to be made, it to adjust “Start the following program at logon” on a server. The truth here is the thin moment, at adjustment “in a forehead” users will lose access to domain resources. It is necessary to think and consult before terminal installation, as incorrectly put licences of the terminal actually “burn through”.
The following moment, we can close from the user unnecessary appendices through means NTFS. However, apparently above, the user can use copying means, actually that without starting on a server. The interesting moment to disconnect in 1C the panel “File” from it Ctrl+O and Ctrl+S it is impossible. It is unique a reliable variant to close file port on a terminal server. But in this case the press on a network will cease to work, reserve copying on an emergency server etc. For the small organisation is a serious problem since expensive piece and would be desirable it to use a server multipurposely, and for the average organisation absence of the network press it simply is not serious. We do not say that it is necessary to impose a ban for use Microsoft Office together with 1C. Otherwise, even with the closed port, base gut on a server without copying. In general, the more we will disconnect services, the more safely a server, it is possible it and in general to switch off, it will be absolutely safe, only to whom it such is necessary? For normal work it is necessary to open variety of ports: 25, 53, 80, 110, 119, etc. All is potential holes in server protection, and on the port of the terminal (3389) it is possible to spend attack of class DoS.
Network listening. It is necessary to notice that it is easy to hear to the most widespread terminal server STE, multilevel enciphering of the terminal is realised in Windows 2000. The decision with high safety usually collect on the basis of Citrix MetaFrame since the given product has the whole set of serious protection frames (Citrix Secure Gateway, SSL 128bit, SecureICA, Socks 4/5, Ticketing, etc.) However even for 10 workplaces this system to you will manage approximately in $5000. Add here still a server upgrade. Terminal server Microsoft goes free of charge in Windows 2000, but for client places all the same it is necessary to pay on $400 for each package from 5 licences.
It is necessary to notice that in the Russian Federation use of cryptography demands Federal agency for government communication and information licensing. Use of cryptographic means without the given licence is a crime.
The terminal server at least allows to raise labour input of breaking, increase of safety given the decision demands withdrawal from users of variety of service functions and possibilities. Other aspect – extremely high cost of decisions with high level of safety on the basis of the terminal decision: from $5000 to $10000.
Let's consider breaking and protection methods 1C:Enterprise for Microsoft SQL Server.
If Microsoft Terminal Server is not specialised means intended for protection of databases Microsoft SQL Server (MS SQL) comprises the powerful tools of safety what only can be applied to 1C.
However standard 1C: the Enterprise does not use means of differentiation of access MS SQL and each user works with base with just causes (Database Owner, DBO). At first sight it terrifies, but not all so is bad. The simple user does not know a login and password DBO, it is stored in the ciphered kind in a file 1CV7.DBA. The similar approach 1C to the safety organisation on MS SQL seems simple only at first sight. Many competitors 1C under MS SQL declare making programs as the competitive advantage that authorisation of users in their appendix becomes means most MS SQL. The subtlety consists that for the effective organisation of protection means MS SQL require to exclude access of users to base tables, and to resolve only manipulations through so-called view and stored procedure. Though it is quite often declared that it is all is, and really it is not present, programmers have not time to do new functions, where by it before protection of the data. If in your organisation the similar program under MS SQL is used, you can will be convinced in the absence of its safety simply having connected to base through Microsoft Query using the user and its password. Probability of 90% that you can look through tables. As we see the approach 1C more reliably, and MS SQL 2000 includes means for support of a similar kind of safety (Application Security Role).
The protection problem 1C for MS SQL, is more exact a shared problem of protection of class Application Security Role, consists what even theoretically not to provide reliable encoding of a login and password DBO. Any crypto-resistant protection is based that the program does not comprise all information necessary for decoding of the data. Usually the missing data is a password of the user.
If the burglar knows the password though one user 1C, at any crypto-protection it can decipher password DBO since 100% of the initial information for decoding own.
Breaking 1C for SQL usually consists from 2 stages. The first stage is decoding of password DBO. The second stage is the analysis of the data through direct connection to MS SQL by means of Microsoft Query and Excel. The second stage can consist and in base copying, but it do less often.
Decoding of password DBO. It is necessary to tell that experts 1C representing hopelessness of protection of password DBO have applied absolutely weak method encryption (XOR-encoding). Therefore password decoding is made very easily. For this purpose usually try to copy a file 1CV7.DBA and then it decrypt by programs type unsql.exe. Other method does not demand file copying, and is under construction on start of a Trojan configuration or the external report 1C which on the macrolanguage 1C contain algorithm of decoding of the password.
It would be desirable to hope that experts 1C at least will cipher password DBO through the password of the user or its HASH-code. It at least will raise cost of breaking to $100 – $200. For such money usually employ the programmer who for a day in a step-by-step mode traces 1C. If the programmer has at the order a file of passwords users.usr and the password though one user, it can trace mechanism work authentication 1C in a regular mode and is simple reach that place where 1C itself will decipher password DBO. The hacker after such trace can write the automatic program of breaking of password DBO for 1C.
It is necessary to notice that use of cryptographic means in 1C will demand Federal agency for government communication and information licensing.
After reception of password DBO the burglar usually starts the analysis of the data in base using Microsoft Query and Excel.
To copy base MS SQL not too simple employment since it not to make by copying of files. The special program, for example Data Migration Wizard with which help it is possible to copy base 1C from SQL in the form of DBF-files to itself on a disk Is required.
Also it is necessary to notice that breaking 1C for SQL by the analysis of time files in which 1C contains a considerable part of a DB is possible.
I must say that in the case of MS SQL administrator can deploy auditing tools that will observe unauthorized access to databases of Microsoft Query, and copiers data. This can be done using SQL Profiler. However, the need for special and very serious tuning profiler. Otherwise, you can not see breaking among the thousands of legal teams, and in addition, without setting up a profiler several times slows down the database.
MS SQL allows to involve enciphering at data transmission through SSL. However remember that the given activity demands Federal agency for government communication and information licensing.
Other important point, is input adjustment in base not under sa, and under separate to users. Following action, this division of system on some separate bases 1C. Such means it is possible to minimise a damage, but as a whole holes for breaking remain.
For the decision of problems of safety 1C for SQL it is required to involve mode Row Level Security from MS SQL. However the special product for this purpose is required.
Thus, 1C: the Enterprise for SQL is the most protected version of the given appendix. However, by the current moment there are breaking methods 1C for SQL which in condition to realise experienced users.
For safety of base for MS SQL independent audit of a server and deployment of serious protection atop 1C is required. As an example of such protection it is possible to result “Protection 1C: the Enterprises for SQL”.
Let's consider breaking and protection methods 1C:Enterprise for Microsoft SQL Server under Microsoft Terminal Server.
Use 1C under Microsoft SQL Server under Microsoft Terminal Server simultaneously allows to combine protection of the given systems. The methods of breaking described earlier and protection as a whole are true for the given complex. We will note only a few the distinctive moments. Breaking and protection are under construction round decoding of password DBO, at the given stage the key moment protection 1CV.DBA from copying by means Microsoft Terminal Server. As well as in a case with DBF under Microsoft Terminal Server absolute protection here not to construct. Further protection is under construction on access blockings to MS SQL. One of the basic methods here port MS SQL closing if MS SQL and Microsoft Terminal Server stand by one car. A variant far not ideal from the point of view of cost of the equipment and consumer qualities of system. Though absolute protection and in this case is not present, the variants steadiest against breaking can be constructed by means of products which will involve the built in means of safety MS SQL.
Let's consider fictitious protection 1C.
It is necessary to notice that safety problems 1C well-known as to potential burglars, so to firms-suppliers of decisions on base 1C. Nevertheless, protection problems 1C from breaking actually do not dare, is simple because them generally not to solve. The matter is that the basic sales 1C it is sales 1C in the version “DBF”. A storage format “DBF” does not mean protection of the data, but very cheap. Though the DBF-version reliably it is impossible to protect many unfair companies offer “protection” from 1C from breaking.
Let's consider typical cases of charlatanism in the market of safety for 1C.
“The second password for DBF”. The given protection does not raise security of systems, and the fair swindle since uses psychological influence on the client is valid. Has washed off the given approach that after start 1C the system requests “the second password” without which it is impossible to enter into system further. Introduction of the second password creates illusion of double security at the user. Similar “protection” at all does not demand special receptions of breaking since the burglar usually addresses at once to the data in DBF-files, and passwords at an input in 1C to the burglar are for this purpose absolutely not necessary.
“We have made something in your configuration that will provide its protection”. Actually “the second password” is the most widespread example of the more general case when the customer try to assure that the program which has been sewn up in a configuration 1C, can protect the data in 1C. Once again we will underline the key moment of breaking of DBF-versions. It is not required to the burglar how to bypass any programs of protection realised on base 1C. The burglar simply analyzes the data in DBF-files where they are not ciphered. We will note, for abduction of base it is enough to copy files DBF, a configuration 1C and “protection” it is not necessary to copy.
“We will put you a terminal server, and all will be safe”. Terminal installation really raises safety, but the experienced user all the same can overcome it. For increase of safety the terminal needs to be configured correctly, and it is a labour-consuming problem. Many simply put the terminal to the client, do not do a network folder for 1C and assure the client that all OK. Certainly such hack-work will not provide even increase of level of protection. The decision on a terminal server with an average level of safety demands Citrix MetaFrame and costs much: from $5000 to $10000.
“We will sell to you 1C for Microsoft SQL Server, and all will be safe”. A typical phrase for the layman-seller. MS SQL it is serious system with serious protection, but here the access password in 1C to MS SQL is ciphered lightly, and 1C does not use the majority of means of safety MS SQL the Decision under MS SQL will possess high safety, only if MS SQL carefully to configure and establish a special protective product. The given product should provide the decision of a problem of decoding of passwords 1C, will allow to involve protection MS SQL which usual 1C does not use.
“Buy Firewall and encrypted disk! All will be protected”. These are good methods for counteraction to breaking “from the outside”. However usually breaking has insider character and one of employees participates in it.
“We will make absolutely safe decision”. Absolute protection does not happen, there is a protection to very high cost of breaking.
Let's consider breaking without breaking.
As that is surprising, but in most cases the user at all does not need to crack something for reception of the confidential information. Standard means of safety 1C allow to differentiate access at level of type of the document, but not subsets of documents. For example, it is possible to give or not to grant the right to the user on access to the directory of clients, however it is impossible to specify that access only to a directory part is required.
The problem of differentiation of access at level of subsets of documents deserves separate article, we will note the general approaches to its decision.
1. Some databases 1C. For example, on one base for each division. Such approach is quickly realised, but then there are problems with repeated input of the information, a transfer of the data between bases and reception of the consolidated reporting. In case of use of bases under control of MS SQL it is possible to use service DTS for an information transfer between configurations, but it only partly solves a problem.
2. Configuration completion 1C with differentiation realisation. It is necessary to notice that it enough expensive project. Also it is necessary to notice that such decision does not guarantee access differentiation at physical level. As a result there are many holes. The greatest problem it that it is necessary to program manually access to all documents, reports and magazines. The probability is very great that because of an error of the programmer the user can pick up such options of the report or magazine which will give it access to necessary information. Other problem, is possibility of the analysis of time files 1C and listenings of a network for breaking.
3. Formation of reports in Excel on the basis of system OLAP from MS SQL. The sense consists that reports can be received not in 1C, and in Microsoft Excel through service OLAP which enters in MS SQL. The given service allows to configure security for users. For example, it is possible specify statistics on what clients the user and on whom is not present can to look through. The important remark, the majority of desktop OLAP-decisions with mark “1C: Compatibly” do not use means OLAP from MS SQL and are not safe from the point of view of access to the data.
4. Safety use at level of records of a database (Row Level Security). In this case to the user 1C for SQL access to a part of objects at server level is closed. Such decision quickly and cheaply takes root, it is not required configuration changes 1C. However for inclusion Row Level Security with 1C installation of the special program, for example is required “Protection 1C: the Enterprises for SQL”. At the heart of Row Level Security use Restricted View lies.
Let's consider the general approach to struggle against burglars.
What it is possible to recommend for maintenance of reliable protection against breaking?
1. To book independent audit of a current security status, then it is necessary to develop measures on protection maintenance. Audit should be necessarily independent, for its clear reasons that company which delivers system of automation with the built in safety should do not.
2. As the most reliable product as protection it is possible to recommend 1C for MS SQL. However once again we will note, the given decision will be safe at correct adjustment of system, and the main thing products which close safety problems 1C are required and allow to involve for 1C protective means MS SQL. As an example of such product it is possible to result “Protection 1C: the Enterprises for SQL”.
3. We recommend reports to use with rich statistics only in Excel, instead of in 1C. Means of analytical services MS SQL it is possible to configure access to analytical cuts of reports.
4. Pay normal money to the manager for its qualification. Remember: any protection acts in film or payoff of the manager, or because of administration errors.
5. Find out, what information can be most interesting to abduction. Concentrate on its careful protection.
It is known that all versions 1C on the basis of DBF-files can be easily enough cracked. To organise effective counteraction to it is extremely difficult. It is possible to organise some counteraction to breaking by means of MS Terminal Server and Citrix MetaFrame. However the given decision will be costs expensively enough and will demand withdrawal from users of variety of possibilities.
1C: the Enterprise for SQL can provide reliable protection of the data, but only in a case if blanks in its safety will be closed. For the decision of the given problem it is possible to use a product “Protection 1C: the Enterprises for SQL”.
1. Hacking and protection 1C:Enterprise [http://www.infosecurity.ru/cgi-bin/mart/detail.pl? d=1c01.html]
2. Ivanov V. Hacking and and protection of 1C:Enterprise. The analysis of a problem of insider breaking for managers [http://www.docflow.ru/analitics/detail.php?ID=15227]
The author: Челябэнергопроект
Comments of experts of Челябэнергопроект: