WebSphere Message Broker Service id - Are you secure?
ErikKirk 2000005NXT Comment (1) Visits (12024)
Should your broker service id be an administrator on Windows platforms?
The short answer is NO.
The broker is an application, to which you can deploy about any code you want. Any code the broker runs on your behalf will run as an administrator.
Example (True Story)
Our password store deleted our password for a broker machine located halfway across the US from me. We completely lost access to the machine. Knowing a broker was running as an administrator on the machine, I knew there would be a way to recover it.
So, I queried the active ports remotely. Picked the ports I suspected the broker's queue manager was using. Setup a userid on my machine to match that of the broker service id. Connected my toolkit to the broker after obtaining the queue manager name. At this point, I knew i could move forward.
I researched and developed a script that, when run with administrator privileges, would create another userid and password, add the user to the Administrators group, setup a terminal services profile for the user, and enable the user's logon. With this in hand, I was one step closer.
Next, I created flow that would recreate that script on the broker machine and then run the script. That's all it took.
Moral of the story
Secure your broker resources with WebSphere MQ Security and take your broker out of the Administrators group