08-02-2015 04:25 PM - edited 03-19-2019 09:54 AM
Hello everyone :)
I haven't seen a method of securing the jabber-config so that the user must enforce a policy set by the administrator. Not only is the file plaintext so that any user can read the policy being enforced, but it's also located under the user's appdata directory so that they have RW rights to the file itself. Is it not possible to secure the configuration?
One example of a serious security flaw: I want a jabber user to only see specific users in their department (by OU) so I set a searchbase. Against corporate policy, the user can change this searchbase in the jabber-config file thus circumventing compartmentalization.
Solved! Go to Solution.
08-03-2015 09:41 PM
There has been a feature enhancement request to enforce the server side file even if the client makes changes to the local config (Version 10.6).
Refer to bug ID: CSCut25346
I would put some pressure on TAC to get some movement as there is no fixed release identified yet.
08-04-2015 09:55 PM
The CSS privileges come from the CSF device and line combination. It wouldn't matter which computer the user logged in to, they would receive the same calling permissions (CSS).
If you would like to push a different XML config file per CSF device, you can specify the configuration file the name to use in the "Cisco Support Field" of the CSF device. Since the CSF device is tied to the user, you should be able to push the config to the specific group of people using this method.
08-03-2015 09:41 PM
There has been a feature enhancement request to enforce the server side file even if the client makes changes to the local config (Version 10.6).
Refer to bug ID: CSCut25346
I would put some pressure on TAC to get some movement as there is no fixed release identified yet.
08-03-2015 10:35 PM
Can the server side file be profiled so that certain users receive one jabber config while others receive another? Can this profile be selected by the user's OU, or device pool?
Thanks!
08-03-2015 11:06 PM
You can use group configuration files if you are running jabber for windows.
This setting is applied on the CSF device using the "Cisco Support Field" for the .xml file name.
Alternatively, you can deploy jabber for windows with a custom flag "TFTP_FILE_NAME" during installation to have the client PC request a custom config file.
08-04-2015 12:16 AM
From what I understood of the deployment guide, the XML file is deployed according to Jabber endpoint and not the user who authenticated into Jabber. This means that if a guy from HR authenticated into a computer of someone from Finance, they would have the directory and CSS privileges of Finance. Is this correct?
If so, is there a way to propagate the XML according to user groups and not endpoint?
Thanks for all the help :)
08-04-2015 09:55 PM
The CSS privileges come from the CSF device and line combination. It wouldn't matter which computer the user logged in to, they would receive the same calling permissions (CSS).
If you would like to push a different XML config file per CSF device, you can specify the configuration file the name to use in the "Cisco Support Field" of the CSF device. Since the CSF device is tied to the user, you should be able to push the config to the specific group of people using this method.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide