Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
5
Replies

Securing jabber-config

Go to solution
Nadav
Level 7
Level 7

‎08-02-2015 04:25 PM - edited ‎03-19-2019 09:54 AM

Hello everyone :)

 

I haven't seen a method of securing the jabber-config so that the user must enforce a policy set by the administrator. Not only is the file plaintext so that any user can read the policy being enforced, but it's also located under the user's appdata directory so that they have RW rights to the file itself. Is it not possible to secure the configuration?

 

One example of a serious security flaw:  I want a jabber user to only see specific users in their department (by OU) so I set a searchbase. Against corporate policy, the user can change this searchbase in the jabber-config file thus circumventing compartmentalization.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jonathan Unger
Level 7
Level 7

‎08-03-2015 09:41 PM

There has been a feature enhancement request to enforce the server side file even if the client makes changes to the local config (Version 10.6).

Refer to bug ID: CSCut25346

 

I would put some pressure on TAC to get some movement as there is no fixed release identified yet.

 

 

View solution in original post

0 Helpful

Go to solution
Jonathan Unger
Level 7
Level 7
In response to Nadav

‎08-04-2015 09:55 PM

The CSS privileges come from the CSF device and line combination. It wouldn't matter which computer the user logged in to, they would receive the same calling permissions (CSS).

 

If you would like to push a different XML config file per CSF device, you can specify the configuration file the name to use in the "Cisco Support Field" of the CSF device. Since the CSF device is tied to the user, you should be able to push the config to the specific group of people using this method.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jonathan Unger
Level 7
Level 7

‎08-03-2015 09:41 PM

There has been a feature enhancement request to enforce the server side file even if the client makes changes to the local config (Version 10.6).

Refer to bug ID: CSCut25346

 

I would put some pressure on TAC to get some movement as there is no fixed release identified yet.

 

 

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Jonathan Unger

‎08-03-2015 10:35 PM

Can the server side file be profiled so that certain users receive one jabber config while others receive another? Can this profile be selected by the user's OU, or device pool?

 

Thanks!

0 Helpful

Go to solution
Jonathan Unger
Level 7
Level 7
In response to Nadav

‎08-03-2015 11:06 PM

You can use group configuration files if you are running jabber for windows.

This setting is applied on the CSF device using the "Cisco Support Field" for the .xml file name.

Alternatively, you can deploy jabber for windows with a custom flag "TFTP_FILE_NAME" during installation to have the client PC request a custom config file.

 

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/10_6/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and-installation-guide/CJAB_BK_C56DE1AB_00_cisco-jabber-106-deployment-and_chapter_01010.html#CJAB_TK_CC291813_00

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Jonathan Unger

‎08-04-2015 12:16 AM

From what I understood of the deployment guide, the XML file is deployed according to Jabber endpoint and not the user who authenticated into Jabber. This means that if a guy from HR authenticated into a computer of someone from Finance, they would have the directory and CSS privileges of Finance. Is this correct?

 

If so, is there a way to propagate the XML according to user groups and not endpoint?

 

Thanks for all the help :)

0 Helpful

Go to solution
Jonathan Unger
Level 7
Level 7
In response to Nadav

‎08-04-2015 09:55 PM

The CSS privileges come from the CSF device and line combination. It wouldn't matter which computer the user logged in to, they would receive the same calling permissions (CSS).

 

If you would like to push a different XML config file per CSF device, you can specify the configuration file the name to use in the "Cisco Support Field" of the CSF device. Since the CSF device is tied to the user, you should be able to push the config to the specific group of people using this method.

0 Helpful
Customers Also Viewed These Support Documents