Kaseya Community

Protecting the dl.asp

  • The page where you download an agent "dl.asp" is not protected in any way. If you know the URL, it's just to go and pick an agent and you can be part of the fun. Which in my book translates to a security vulnerability.

    Instead of discussing what bad things may happen, i would like to know which are good enough measures to protect access to this page.

    If we were in the Apache world, i would probably just have a .htaccess file to ask for a username/password combination. That's good enough for me. Assuming the knowledge of .asp (which we have plenty of in the company, not just in me), is it complicated to use the usernames and passwords in the actual Kaseya installation for authentication?

    Did i ask too much? :)

  • Have to say i agree has been a pain point for me for a bit more so because our market is small and its very easy to know what MSP is using what tool - so logging onto their dl.asp (at least in our case) will show you the client names as we use client names for the packages to make it easy for engineers.

    What I did look at was creating our own dl.asp page and publishing it - so instead of going to dl.asp you might go to agentdownloader.asp or something and then leave the dl.asp blank.

    I believe in K2 there is also an API connection for the agent packages have to check that again but I did manage to get it quite easily out of the DB any.

  • @ Robin - Can you elaborate how this is a security vulnerability.  If someone gets to your agent and downloads it, they have now given you full control of their machine and still have no access to your KServer.

    @MMartin - You can limit which agents are displayed on dl.asp.  If you you want your techs to use it but are concerned that others may see the names of the packages then don't list them on dl.asp.  Instead have your techs log into the KServer and pull down the client specific package from  there.  Either way they'd have to have access to the internet.

  • I agree with Max here - This isn't a security vulnerability. If someone downloads the agent, it's a security vulnerability for them, not you. An agent doesn't give someone any kind of access into your VSA, or your network. We have our system set to alert on each new agent that gets created. New agents make a ticket in our PSA, and whoever picks up the ticket makes sure the agent is in the right group and has the right settings applied to it. If the agent is from someone we don't recognize, it gets removed.

    Making the agents easily accessible is a plus in my books. If this page were password protected, that's just one more set of credentials for our techs to manage. If you don't want agents to be visible on this page then just uncheck the "show on dl.asp" checkbox. When you want to do a download, check the box, and uncheck it when you're done.

  • I am aware you can limit but simple for the lads to get to if they need to quickly install an agent - asking us to make visible is a pain as they have to ring / if we are not here etc. They don't have access to agent deployment.

    I will fire ahead with my custom page will be easy to do and then no more worries.... Plus they will see all packages then with or without a tick box...

  • Before we upgraded to K2 (Which I did about three hours ago! :) ) the DL.asp page was protected and you needed to log in with a domain user account... I'm having a tough time locating where to change this in IIS for the new version...

  • Has anyone found a way to secure this yet? i am very intersted in getting ours secured as well..

  • Can't you just secure the file using standard windows file permissions?  Just curious, why are you trying to secure the file?

  • we can probably secure it with IIS but I don't want to mess up the Kaseya code....  When we go to a new client we go to this site to install the agent sometimes and they have it in their history and if we don't remove it they could see our customer list...

  • If that's the case then don't use the dl.asp page.  Just log into your Kaseya console and go to Agent->Deploy Agents.  That page is already secured.  It contains all your agent packages and is not accessible without a userid/pwd.

    [edited by: Max Pruger at 9:30 AM (GMT -7) on 4-13-2011] Linking to the write page/function
  • But then what is it for?  it's much easier to just go to the dl.asp some of our low level techs do not have access to the kaseya interface as well...

  • We've been through all the pain and decided the best way is to create the installer then hit the hyperlink and send the URL to the tech/customer who is installing the agent, and also attach to the customers account.  Simply means that there should be nothing on the dl.asp page and if required access is pretty easy.

  • The point of the dl.asp page is for easy access to install agents.  If you want to restrict access to the dl.asp page then the functionality is already there, it's called the Agent->Deploy Agents page.  To restrict access to the dl.asp page, you have to provide a userid/pwd.  That's the same thing you need to log into Kaseya.  If you don't want your lower level techs to have access to all of Kaseya, that's fine.  Just create a role that only shows them the Agent->Deploy Agents page.

    BTW, I'm not saying you can't restrict the dl.asp page.  My suggestion was to do it through standard windows file permissions.  All I'm saying is that you already have a built in secured dl.asp page and that's the Agent->Deploy Agents page.

  • Hi,

    Our download page does not show any  package,  not even the default.

    You can achieve this by just sharing the packages to ppl you want them to be available for

    ivita2.eurosys.be/dl.asp   shows "No Packages availalble"

  • Hi,

    I modified the NTFS permissions on our Kaseya 6.3 server for dl.asp (..\kaseya\WebPages\dl.asp) and denied access to the "Internet Guest Account".

    I then copied the dl.asp file to another, not so obvious name, which we can now use to access the download page (i.e. https://ourkaseyaserverurl/ourdl.asp)

    It's not perfect, but removes access to the default page.  

    Hope this helps someone.