ISSUE/RISK Security Hole

[Tim]

I know that the security controls are good when one enters via the project
server, however; if someone enters the WSS URL without going through PWA,
then I found that it is wide open.

i.e. https://servername/projectserver/issues/IssueShell.asp?ProjID=124
(Controls works fine.)

https://servername/sites/projectserver_124/default.aspx (allows access when
it should not.)

Anyone know how to close this hole?

 

[Tim]

For those of you who care, I found the issue. Even though I was set up as a
team member in Project Server, which rightfully denied me access to the WSS
site via. Project Server, I was a member of the Local Administrator domain
account on the server which for some reason overrides the WSS controls. So
bottom line, the WSS controls were still in effect regardless of how I
entered the site. That's a good thing.

 

[Gary L. Chefetz \(MVP\)]

Tim,

Of course it overrides the groups assignments, or in this case lack there
of, in the WSS groups.

--

Gary L. Chefetz, MVP
"We wrote the books on Project Server"
http://www.msprojectexperts.com

For Project Server FAQs visit
http://www.projectserverexperts.com

For Project FAQs visit
http://www.mvps.org/project

-