iportalis limited security framework v 1 4 · pdf filethe security does not just apply to the...
TRANSCRIPT
iPortalisLimitedDataSecurityFrameworkandPoliciesforiPortalisControlPortal(iCP)
Updated:March2017
CONTENTSIntroduction............................................................................................................................................................5
Goal.........................................................................................................................................................................5
iPortalisSecurityFramework..................................................................................................................................5
DataProtectionAct.............................................................................................................................................5
Policy...................................................................................................................................................................5
Compliance..........................................................................................................................................................5
AccessControl.................................................................................................................................................6
BusinessContinuity.........................................................................................................................................6
CommunicationsandOperations....................................................................................................................6
EquipmentSecurity.........................................................................................................................................7
ThirdParties....................................................................................................................................................8
HumanResources............................................................................................................................................8
Systems...........................................................................................................................................................9
Cliento365TenantIntegrationRequirement.......................................................................................................10
CommunicationsandOperations......................................................................................................................10
iCPEngineNetworkDiagram........................................................................................................................10
iCPEngineProviderPlugInsNetworkDiagram.............................................................................................10
iCPEngineServiceNetworkDiagram............................................................................................................11
O365ThreatModellingReport.........................................................................................................................12
AuthenticationProcessFlow.........................................................................................................................12
DataFlowtoOffice365.................................................................................................................................13
Threat(s)NotAssociatedwithanInteraction...................................................................................................13
DataFlowHTTPSIsPotentiallyInterrupted..................................................................................................13
ExternalEntityMicrosoftPartnerCenterRESTServicePotentiallyDeniesReceivingData..........................13
SpoofingoftheMicrosoftPartnerCenterRESTServiceExternalDestinationEntity....................................14
DataFlowHTTPSIsPotentiallyInterrupted..................................................................................................14
ExternalEntityMicrosoftRESTServices,PartnerCenter,AzureAD,CRESTPotentiallyDeniesReceivingData.......................................................................................................................................................................15
SpoofingoftheMicrosoftRESTServices,PartnerCenter,AzureAD,CRESTExternalDestinationEntity.....15
BrowserClientProcessMemoryTampered..................................................................................................16
PotentialDataRepudiationbyiCP................................................................................................................16
PotentialProcessCrashorStopforIonControlPanel..................................................................................16
DataFlowHTTPSIsPotentiallyInterrupted..................................................................................................17
ElevationUsingImpersonation.....................................................................................................................17
iCPEngineMaybeSubjecttoElevationofPrivilegeUsingRemoteCodeExecution....................................17
ElevationbyChangingtheExecutionFlowinIonControlPanel...................................................................18
PotentialSQLInjectionVulnerabilityforIonEntitiesStore...........................................................................18
RisksfromLogging.........................................................................................................................................19
SpoofingofDestinationDataStoreIonEntitiesStore..................................................................................19
LowerTrustedSubjectUpdatesLogs............................................................................................................19
InsufficientAuditing......................................................................................................................................20
PotentialWeakProtectionsforAuditData...................................................................................................20
AuthorizationBypass.....................................................................................................................................20
WeakCredentialStorage...............................................................................................................................21
PotentialExcessiveResourceConsumptionforiCPEngineoriCPEntitiesStore..........................................21
iCPProcessMemoryTampered....................................................................................................................22
ReplayAttacks...............................................................................................................................................22
CollisionAttacks............................................................................................................................................22
WeakAuthenticationScheme.......................................................................................................................23
ElevationUsingImpersonation.....................................................................................................................23
XMLDTDandXSLTProcessing......................................................................................................................23
ADPropertiesThreatModellingReport............................................................................................................24
ADContactServicePlan................................................................................................................................24
ADContactSubscribedService......................................................................................................................24
ADContainerSubscribedService..................................................................................................................24
ADCustomerServicePlan.............................................................................................................................25
ADCustomerSubscribedService..................................................................................................................25
ADDomainSubscribedService.....................................................................................................................25
ADGroupServicePlan...................................................................................................................................26
ADGroupSubscribedService........................................................................................................................26
ADResourceUserServicePlan......................................................................................................................26
ADResourceUserSubscribedService...........................................................................................................27
ADUserServicePlan.....................................................................................................................................27
ADUserSubscribedService...........................................................................................................................27
PreferredDomainControllerSystemPoolItem............................................................................................28
O365PropertiesThreatModellingReport........................................................................................................28
CustomerOffer..............................................................................................................................................28
CustomerOfferAddOn.................................................................................................................................28
CustomerServicePlan...................................................................................................................................29
CustomerServicePlanOffer.........................................................................................................................29
CustomerSubscribedService........................................................................................................................29
DomainSubscribedService...........................................................................................................................30
GroupSubscribedService..............................................................................................................................30
UserOffer......................................................................................................................................................30
OfferAddOn.................................................................................................................................................30
UserServicePlan...........................................................................................................................................31
UserServicePlanOffer..................................................................................................................................31
UserSubscribedService................................................................................................................................31
SubscriberPropertiesThreatModellingReport................................................................................................32
Contact..........................................................................................................................................................32
Customer.......................................................................................................................................................32
Domain..........................................................................................................................................................33
Group............................................................................................................................................................34
ResourceUser...............................................................................................................................................34
User...............................................................................................................................................................35
InformationStorage..........................................................................................................................................36
WhatInformationisStored...........................................................................................................................36
WhereisInformationStored.........................................................................................................................37
HowLongisInformationStored....................................................................................................................37
HowAccessibleisInformation......................................................................................................................37
WhoCanAccessInformation........................................................................................................................37
AdministrationLayers.......................................................................................................................................37
INTRODUCTIONThis security frameworkdocumentsupports the iPortalisproposal to implement functionality,processesandconnectionsfortheiPortalisControlPortal(iCP)toallowClientAdministratorstomanageMicrosoftO365licenceprovisioningandintegrateiCPintotheClientO365tenant.
ThesecuritydoesnotjustapplytotheiCPsoftware,butalsotoouroperationalprocesses,toolsandpersonnel.
GOALThegoalof thisdocument is todemonstratetoClientthat iPortalisLimited isatechnicallyandoperationallysecuritycompliantserviceprovider.
Thedocumentshows:
• Operationalpolicies• CommunicationandOperationsnetworkdiagrams• ClientO365tenantthreatanalysis• ADpropertyentitydetails• Dataawareness
o Storageo Securityo Integrityo Transit
IPORTALISSECURITYFRAMEWORKThefollowingsectionwilldemonstrateiPortalisoperationalsecuritycompliance.
DATAPROTECTIONACTTheInformationCommissionersOfficehasregisterediPortalisunderthedataprotectionactwithregistrationreferenceZA208153.
POLICYiPortalishasthefollowingsecuritypolicies:
• Anti-piracypolicy• Networksystemmonitoringpolicy• Remoteaccessandmobilecomputingpolicy• Virusprotectionpolicy• Leavingpolicy• Accesscontrolpolicy
iPortalisalsohasthefollowingoperationspoliciesinplace:
• ChangeManagementpolicy• ReleaseManagementPolicy• ContinuityPolicy
COMPLIANCEThefollowingwilldemonstrateiPortaliscomplianceinrelationtospecificoperationalprocesses.
ACCESSCONTROL
SubSection Requirement
NetworkAccessControl Thestructureofthenetworkcontrolsequipmentidentification.
NetworkAccessControl Authenticationofremotediagnosticportsiscontrolled.
NetworkAccessControl NetworksegregationcontrolsareincludedintheAccessControlPolicyandareasdefinedintheNetworkStructureDiagram.
OperatingSystemsAccessControl IPaddressconnectionsareeitherstaticIP’sassignedaccordingtodefinedrulesoraredynamicallyissuedbythesystem.
OperatingSystemsAccessControl UseridentificationandauthenticationrequirementsaredefinedandallocatedbytheSystemsDepartmentandareaddressedintheAccessControlPolicy.
OperatingSystemsAccessControl AccesstosystemutilitiesisrestrictedtotheSystemsand/orTechnicalSupportteamswiththenecessaryauthorisation.
OperatingSystemsAccessControl Requirementsforsessiontime-outsaredefinedintheAccessControlPolicyandprovideforlimitedtime-outsforin-houseusewithmorestringentandenforcedtime-outsforanyexternalconnections.
ApplicationAccessControl Informationaccessrestrictionsareimposed.
ApplicationAccessControl Sensitivesystems,applicationsanddataareisolatedusingacombinationofphysicalandelectroniccontrols.
BUSINESSCONTINUITY
SubSection Requirement
Informationsecurityaspectsofbusinesscontinuity
ABusinessContinuityPlan(DisasterRecovery)isdocumented.TheBusinessContinuityPlanincludesproceduresfortimelyrestorationofbusinessfollowinginterruptionorfailureofcriticalbusinessprocesses.
Informationsecurityaspectsofbusinesscontinuity
TheBusinessContinuityPlanincludesasingleframeworkensuringconsistencyandtheestablishmentofpriorities.
COMMUNICATIONSANDOPERATIONS
SubSection Requirement
OperationalProceduresandResponsibilities
Anysource,testanddevelopmentcodeisclearlyidentifiedandprotectedfromtheproductionenvironment.
OperationalProceduresandResponsibilities
Hardwarefirewall,virusandspywareprotectionareruncontinuously.
OperationalProceduresandResponsibilities
Thelogsarecheckedautomaticallyagainstpre-definedrulesandcheckedonaregularbasis.
NetworkSecurityManagement SecurityofnetworkservicesareidentifiedintheSLAand/orcontractestablishedandagreedwiththecustomer,contractor,third-partyprovider.
ElectronicCommerce Systemsrelatingtoelectroniccommercetransactionareinplaceandthesehavebeendevelopedtoachievesecurityandmanagementofrisk.
ElectronicCommerce On-linetransactionsarecarriedoutusingindustrystandardsecurityandencryptionusing,inmostcases,recognisedthird-partyproviders.Financially-sensitiveinformationisnotaccessibletoemployeesandthetransactionrecordisdeletedafterthesupportperiod.
Monitoring LoginformationisheldasasystemrecordandprotectedasdefinedinourSecurityManual.
Monitoring Clocksynchronisationiscarriedoutasacomponentoftheoperatingsystemutilities,includingautomaticverificationwithanon-linesourceoftimedataandautomaticdaylightsavingtimechanges.
EQUIPMENTSECURITY
SubSection Requirement
ResponsibilityforAssets AninventoryofcriticalassetsismaintainedintheDHL
ResponsibilityforAssets OwnershipofassetsismaintainedintheDHL
EquipmentSecurity Equipmentsitingandprotection–appropriatesecurityandpreventativemeasuresareinplace
EquipmentSecurity UPS’sareconnectedtotheofficeserverswithaminimumruntimeof20minutes.
EquipmentSecurity Precautionsaretakentoensurethesecurityofcablingwithinthepremises.
EquipmentSecurity Equipmentmaintenanceiscarriedoutbyauthorizedpersonnel
EquipmentSecurity Supportcontractsareinplacewithkeyequipmentsuppliers.
EquipmentSecurity Aspecialisedcompanyisusedindisposalofassetsandrecordsofdisposalsarekept.
THIRDPARTIES
SubSection Requirement
ExternalParties ThirdpartyaccessrisksareaddressedaspartofroutinemaintenanceoftheDRplans
ExternalParties Non-disclosureagreementsareinplacewiththirdpartycontractorsaspartofcontractorincludedinSLA
ExternalParties ProtectionofassetsaredefinedwithinthethirdpartycontractorSLA
ExternalParties RiskassociatedwiththirdpartiesisdefinedinDRplans
HUMANRESOURCES
SubSection Requirement
Priortoemployment Employeescreeningandpolicy–CRBcheckscarriedoutpriortoemploymentorduringfirst2weeksofprobationaryperiod.
Priortoemployment Termsandconditionsofemploymentfrompartoftheemployeescontract.SignedcopyretainedinHRfile.
Duringemployment StaffareinductedintotheorganizationandgivenaccesstotheISMSManualandpolicies.
Duringemployment AninductionsheetissignedandretainedintheHRfile.
Duringemployment Informationsecurityawareness,educationandtraining.
Terminationofemployment Aleavingpolicyisinplaceandtheprocessisfollowed.
Terminationofemployment Allcompanyassetsarerecoveredaspartoftheleavingprocess.
Terminationofemployment TheleavingchecklistmustincludechecktoidentifyITTeamofaleaverandensureallsystemandphysicalaccessisremoved.
Physicalandenvironmentalsecurity Physicalsecurityperimetersarereviewed.
Physicalandenvironmentalsecurity Physicalentrycontrolsandreviewed.
Physicalandenvironmentalsecurity TheHQsserverroomsareaccessibleonlybyauthorizedpersonnel,andalistisheldofthoseauthorized.
Physicalandenvironmentalsecurity Publicaccessareasarecontrolledandlimited.Allvisitorsareaccompaniedatalltimes.
SYSTEMS
SubSection Requirement
SecurityRequirementsofInformationSystems
SecurityrequirementsforneworenhancedsystemsaredeterminedandspecifiedbytheOrganisationanddocumentedaspartofthesystemspecification.
CorrectProcessinginApplications Datainputvalidationrequirementsarelimitedtothedatafieldparametersincorporatedintothedesignedsystem.Dataisvalidated,approvedand/ortestedpriortofinalentryintothesystemandreleasetoaliveenvironment.
CorrectProcessinginApplications Internalprocessingcontrolsarecontainedwithintheapplication.
CorrectProcessinginApplications Anydatavalidationchecksrequiredareautomaticandcarriedoutaspartofsystemoperations.Additionalloadand/orstresstestingandrelatedoutputvalidationiscarriedoutwhereconsiderednecessary.
SecurityofSystemFiles LicensesfortheuseofsoftwareontheOrganisation’ssystemsarevalidandindate.ASoftwareLicenceandUsageRegisterisinplaceandreviewedregularly.
SecurityofSystemFiles Allappropriateprotectionisgiventotestdata.Theuseofspecificfilenamesprohibitsthetestdatabeingavailabletoliveapplications.
SecurityofSystemFiles TheOrganisationdevelopsgenericandclient-specificcode.Anindustrystandardsourcecodeprotectionutilityisusedtocontrolthisareaandaccessislimited.
SecurityinDevelopmentandSupportProcesses
TheSystemsTeammonitorsinformationwhennewvulnerabilitiesareannouncedtobeabletocorrectlyassessthevulnerabilityoftheirexposedsystemsandtotakepreventive/correctiveaction.Changestosystemsarerecorded.
SecurityinDevelopmentandSupportProcesses
Softwaredevelopmentpartnershipsmaybeinplace.Wherethisoccurs,aServiceLevelAgreementisestablishedandsignedbybothpartiesdefiningthescope,responsibilitiesandissuesincludingcopyrightandintellectualpropertyrights.Acopyissignedandretainedbybothparties.
TechnicalVulnerabilityManagement TechnicalvulnerabilitiesidentifiedasaresultoftheimplementationoftheISMSarereviewedandaddressed.
CLIENTO365TENANTINTEGRATIONREQUIREMENT
COMMUNICATIONSANDOPERATIONS
ICPENGINENETWORKDIAGRAM
ICPENGINEPROVIDERPLUGINSNETWORKDIAGRAM
ICPENGINESERVICENETWORKDIAGRAM
O365THREATMODELLINGREPORT
ThreatModelName:iCPEngineintegrationwithOffice365RESTAPIs
Description:ThisthreatmodelprovidesanoverviewofidentifiedthreatsandthemitigationforthosethreatsiniPortalisinteractionwithMicrosoftAPIsrelatedtoOffice365.
External Dependencies: Without exception, iPortalis have followed the Microsoft recommendations andproceduresforenablingandperformingsecureinteractionwiththeClientOffice365relatedAPIs.
Pleaserefertothefollowingdocumentationfordetailsontheserecommendations:
• https://support.office.com/en-us/article/Understanding-Office-365-identity-and-Azure-Active-Directory-06a189e7-5ec6-4af2-94bf-a22ea225a7a9
• https://support.office.com/en-us/article/Office-365-integration-with-on-premises-environments-263faf8d-aa21-428b-aed3-2021837a4b65?ui=en-US&rs=en-US&ad=US
• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-authentication-scenarios
• https://msdn.microsoft.com/en-us/library/partnercenter/mt634709.aspx• https://msdn.microsoft.com/en-us/library/partnercenter/mt709136.aspx• https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-integrating-
applications• https://docs.microsoft.com/en-us/azure/app-service-mobile/app-service-mobile-how-to-configure-
active-directory-authentication
Thefollowingdiagramsillustratetheprocessflowofauthentication:
AUTHENTICATIONPROCESSFLOW
DATAFLOWTOOFFICE365
THREAT(S)NOTASSOCIATEDWITHANINTERACTIONDATAFLOWHTTPSISPOTENTIALLYINTERRUPTED
State: Mitigationimplemented
Priority: High
Category: DenialofService
Description: Anexternalagentinterruptsdataflowingacrossatrustboundaryineitherdirection.
Justification: Firewall or DMZ should be configured to prevent data flow interruption. If data flow isinterruptedtheprovisionprocesswillfail,beloggedwithrelevantinformation.
EXTERNALENTITYMICROSOFTPARTNERCENTERRESTSERVICEPOTENTIALLYDENIESRECEIVINGDATA
State: Mitigationimplemented
Priority: High
Category: Repudiation
Description: MicrosoftPartnerCenterRESTServiceclaimsthatitdidnotreceivedatafromaprocessontheothersideofthetrustboundary.Considerusingloggingorauditingtorecordthesource,time,andsummaryofthereceiveddata.
Justification: iCPengineprovidesanaudittrailofanychangestoentitiesandthoserequeststhataremadetotheexternalservices.
SPOOFINGOFTHEMICROSOFTPARTNERCENTERRESTSERVICEEXTERNALDESTINATIONENTITY
State: Mitigationimplemented
Priority: High
Category: Spoofing
Description: MicrosoftPartnerCenterRESTServicemaybespoofedbyanattackerandthismayleadtodatabeingsenttotheattacker'starget insteadofMicrosoftPartnerCenterRESTService.Considerusingastandardauthenticationmechanismtoidentifytheexternalentity.
Justification: Threatismitigatedbyrequirementtoprovidesymmetricsecretandpartnercredentials.
Interaction: HTTPS:
DATAFLOWHTTPSISPOTENTIALLYINTERRUPTED
State: Mitigationimplemented
Priority: High
Category: DenialOfService
Description: Anexternalagentinterruptsdataflowingacrossatrustboundaryineitherdirection.
Justification: Ifdata flow is interrupted, IONwill fail the interactionand logthereasonfor failure.WeexpectthenetworkperimetertoproviderprotectionagainstDOSaswell.
EXTERNALENTITYMICROSOFTRESTSERVICES,PARTNERCENTER,AZUREAD,CRESTPOTENTIALLYDENIESRECEIVINGDATA
State: Mitigationimplemented
Priority: High
Category: Repudiation
Description: MicrosoftRESTServices,PartnerCenter,AzureAD,CRESTclaimsthatitdidnotreceivedatafromaprocessontheothersideofthetrustboundary.Considerusingloggingorauditingtorecordthesource,time,andsummaryofthereceiveddata.
Justification: iCPengineauditsanychanges toentity storeandalso logsprovisioningevent failuresorsuccess.
SPOOFINGOFTHEMICROSOFTRESTSERVICES,PARTNERCENTER,AZUREAD,CRESTEXTERNALDESTINATIONENTITY
State: Mitigationimplemented
Priority: High
Category: Spoofing
Description: MicrosoftRESTServices,PartnerCenter,AzureAD,CRESTmaybespoofedbyanattackerand thismay lead to data being sent to the attacker's target instead ofMicrosoft RESTServices, Partner Center, Azure AD, CREST. Consider using a standard authenticationmechanismtoidentifytheexternalentity.
Justification: A secret key, client id, and azure ad user credentials are required for this interaction. AsecuredandsignedauthenticationtokenisacquiredfromtheADAzureserviceandusedforsubsequentoperations.Capabilitiesoftheuserinoffice365issecuredbytheirroleintheoffice365tenant.ThatuserisfirstauthenticatedthroughthecontrolpanelwhichauthorizesagainstAzureADandobtainstheauthtokenwhichispasseddowntotheiCPengine.
Interaction: HTTPS:
BROWSERCLIENTPROCESSMEMORYTAMPERED
State: Mitigationimplemented
Priority: High
Category: Tampering
Description: IfBrowserClientisgivenaccesstomemory,suchassharedmemoryorpointers,orisgiventheabilitytocontrolwhatIonControlPanelexecutes(forexample,passingbackafunctionpointer.),thenBrowserClientcantamperwithIonControlPanel.Considerifthefunctioncouldworkwithlessaccesstomemory,suchaspassingdataratherthanpointers.Copyindataprovided,andthenvalidateit.
Justification: Thebrowserclientisnotgivenaccesstomemory.Thecontrolpanelismanagedcode.
POTENTIALDATAREPUDIATIONBYICP
State: Mitigationimplemented
Priority: High
Category: Repudiation
Description: iCP engine claims that it did not receive data froma sourceoutside the trust boundary.Considerusingloggingorauditingtorecordthesource,time,andsummaryofthereceiveddata.
Justification: iCPengineprovidesanaudittrailforallchangestoentitiesinthesystem.
POTENTIALPROCESSCRASHORSTOPFORIONCONTROLPANEL
State: Mitigationimplemented
Priority: High
Category: DenialOfService
Description: iCPenginecrashes,halts,stopsorrunsslowly;inallcasesviolatinganavailabilitymetric.
Justification: Controlpanelsupportsloadbalancingtoensureuptime.
DATAFLOWHTTPSISPOTENTIALLYINTERRUPTED
State: Mitigationimplemented
Priority: High
Category: DenialOfService
Description: Anexternalagentinterruptsdataflowingacrossatrustboundaryineitherdirection.
Justification: Authenticationisrequiredbyanauthorizedentity.Retriesforauthenticationislimited.Toflood the system with request a compromise of authorized user credentials would berequired. It is also expected that TCP/IP stack is hardened by applying the appropriateregistrysettingstoincreasethesizeoftheTCPconnectionqueue,decreasetheconnectionestablishment period, and employ dynamic backlog mechanisms to ensure that theconnection queue is never exhausted. It is also recommended that you use a networkIntrusionDetectionSystem(IDS)becausethesecanautomaticallydetectandrespondtoSYNattacks.
ELEVATIONUSINGIMPERSONATION
State: Mitigationimplemented
Priority: High
Category: ElevationofPrivilege
Description: iCP enginemay be able to impersonate the context of Browser Client to gain additionalprivilege.
Justification: Authentication is required by an authorized entity. Authenticated users are subject torestrictionbasedonrolebasedlogic.Thewebservicerunsinanisolatedapplicationpoolasnetworkservicewhichhasalmostnoprivilegeson the local system. Input isvalidated topreventbufferoverflows.Allinteractioniswithmanagedcode.
ICPENGINEMAYBESUBJECTTOELEVATIONOFPRIVILEGEUSINGREMOTECODEEXECUTION
State: Mitigationimplemented
Priority: High
Category: ElevationOfPrivilege
Description: BrowserClientmaybeabletoremotelyexecutecodeforiCPengine.
Justification: Authentication is required by an authorized entity. The web service runs in an isolatedapplicationpoolasnetworkservicewhichhasalmostnoprivilegesonthelocalsystem.Inputisvalidatedtopreventbufferoverflows.Allinteractioniswithmanagedcode.
ELEVATIONBYCHANGINGTHEEXECUTIONFLOWINIONCONTROLPANEL
State: Mitigationimplemented
Priority: High
Category: ElevationOfPrivilege
Description: AnattackermaypassdataintoIonControlPaneltochangetheflowofprogramexecutionwithinIonControlPaneltotheattacker'schoosing.
Justification: Authentication is required by an authorized entity. The web service runs in an isolatedapplicationpoolasnetworkservicewhichhasalmostnoprivilegesonthelocalsystem.Inputisvalidatedtopreventbufferoverflows.Allinteractioniswithmanagedcode.
Interaction: TCP/IP
POTENTIALSQLINJECTIONVULNERABILITYFORIONENTITIESSTORE
State: Mitigationimplemented
Priority: High
Category: Tampering
Description: SQLinjectionisanattackinwhichmaliciouscodeisinsertedintostringsthatarelaterpassedtoaninstanceofSQLServerforparsingandexecution.AnyprocedurethatconstructsSQLstatementsshouldbereviewedforinjectionvulnerabilitiesbecauseSQLServerwillexecuteallsyntacticallyvalidqueriesthatitreceives.Evenparameterizeddatacanbemanipulatedbyaskilledanddeterminedattacker.
Justification: Dynamic SQL statements are not constructed. Only parameterized queries to storedproceduresareallowed.CustomizedreportingSQLonlyallowedbyhighesttrustlevel.
RISKSFROMLOGGING
State: Mitigationimplemented
Priority: High
Category: Tampering
Description: Logreaderscancomeunderattackvialogfiles.Considerwaystocanonicalizedatainalllogs.Implementasinglereaderforthelogs,ifpossible,toreduceattacksurfacearea.Besuretounderstandanddocumentlogfileelementswhichcomefromuntrustedsources.
Justification: Logfilesarestoredinaproprietaryxmlformat.
SPOOFINGOFDESTINATIONDATASTOREIONENTITIESSTORE
State: Mitigationimplemented
Priority: High
Category: Spoofing
Description: iCPEntitiesStoremaybespoofedbyanattackerandthismayleadtodatabeingwrittentotheattacker'stargetinsteadofiCPEntitiesStore.Considerusingastandardauthenticationmechanismtoidentifythedestinationdatastore.
Justification: Datastoreisonsecurednetworkandaccesstoconnectiondata.
LOWERTRUSTEDSUBJECTUPDATESLOGS
State: Mitigationimplemented
Priority: High
Category: Repudiation
Description: Ifyouhavetrust levels, isanyoneotheroutsideofthehighesttrust levelallowedto log?Lettingeveryonewrite toyour logscan lead to repudiationproblems.Onlyallowtrustedcodetolog.
Justification: Onlyhighesttrustlevelcanlog.Onlythesystemdoeslogging.Externalprocessorusersnotallowedtolog.
INSUFFICIENTAUDITING
State: Mitigationimplemented
Priority: High
Category: Repudiation
Description: Doesthelogcaptureenoughdatatounderstandwhathappenedinthepast?Doyourlogscaptureenoughdatatounderstandanincidentafterthefact?Issuchcapturelightweightenoughtobeleftonallthetime?Doyouhaveenoughdatatodealwithrepudiationclaims?Makesureyoulogsufficientandappropriatedatatohandlearepudiationclaims.Youmightwanttotalktoanauditexpertaswellasaprivacyexpertaboutyourchoiceofdata.
Justification: Auditingisextensive.
POTENTIALWEAKPROTECTIONSFORAUDITDATA
State: Mitigationimplemented
Priority: High
Category: Repudiation
Description: Considerwhathappenswhentheauditmechanismcomesunderattack,includingattemptstodestroythelogs,orattack loganalysisprograms.Ensureaccesstothelog isthroughareferencemonitor,whichcontrolsreadandwriteseparately.Documentwhatfilters,ifany,readerscanrelyon,orwritersshouldexpect.
Justification: Auditdataisstoredinentitiesdatastoreandisprotectedbyauthenticationandexecutionrestrictionsjustasallotherdata.
AUTHORIZATIONBYPASS
State: Mitigationimplemented
Priority: High
Category: InformationDisclosure
Description: CanyouaccessIonEntitiesStoreandbypassthepermissionsfortheobject?Forexample,byeditingthefilesdirectlywithahexeditor,orreachingitviafilesharing?Ensurethatyourprogramistheonlyonethatcanaccessthedata,andthatallothersubjectsmustuseyourinterface.
Justification: Data is restricted based on SQL identity. All changes are done via parameterized storedprocedures.Allotheraccessisdenied.Userscanonlyaccessviacontrolpanelandaccessisrestrictedbyrole.
WEAKCREDENTIALSTORAGE
State: Mitigationimplemented
Priority: High
Category: InformationDisclosure
Description: Credentialsheldattheserverareoftendisclosedortamperedwithandcredentialsstoredon the client are often stolen. For server side, consider storing a salted hash of thecredentials instead of storing the credentials themselves. If this is not possible due tobusiness requirements, be sure to encrypt the credentials before storage, using an SDL-approvedmechanism.Forclientside, if storingcredentials is required,encrypt themandprotectthedatastoreinwhichthey'restored.
Justification: Credentialsareencrypted.
POTENTIALEXCESSIVERESOURCECONSUMPTIONFORICPENGINEORICPENTITIESSTORE
State: Mitigationimplemented
Priority: High
Category: DenialofService
Description: DoesiCPEngineoriCPEntitiesStoretakeexplicitstepstocontrolresourceconsumption?Resourceconsumptionattackscanbehardtodealwith,andtherearetimesthatitmakessensetolettheOSdothejob.Becarefulthatyourresourcerequestsdon'tdeadlock,andthattheydotimeout.
Justification: Interaction between iCP engine and SQL Entities stored has been excessively tuned topreventdeadlocksandiscurrentlyoperatinginthefieldinmanyhighdemandenvironments.It is recommended that windows server and SQL server are tuned based on Microsoftrecommendations.
Interaction: TCP/TLS
ICPPROCESSMEMORYTAMPERED
State: NotApplicable
Priority: High
Category: Tampering
Description: IfiCPisgivenaccesstomemory,suchassharedmemoryorpointers,orisgiventheabilitytocontrolwhatiCPEngineexecutes(forexample,passingbackafunctionpointer.),theniCPControl Panel can tamperwith iCP Engine. Consider if the function couldworkwith lessaccesstomemory,suchaspassingdataratherthanpointers.Copy indataprovided,andthenvalidateit.
Justification: Controlis100%managedcodeandhasnoaccesstomemory.
REPLAYATTACKS
State: NotApplicable
Priority: High
Category: Tampering
Description: Packets or messages without sequence numbers or timestamps can be captured andreplayedinawidevarietyofways.Implementorutilizeanexistingcommunicationprotocolthat supports anti-replay techniques (investigate sequence numbers before timers) andstrongintegrity.
Justification: CommunicationismanagedcodeandthisthreatismitigatedbytheTCP/IPstack.Applicationhasnoaccesstopackets.
COLLISIONATTACKS
State: NotApplicable
Priority: High
Category: Tampering
Description: Attackerswhocansendaseriesofpacketsormessagesmaybeabletooverlapdata.Forexample,packet1maybe100bytesstartingatoffset0.Packet2maybe100bytesstartingatoffset25.Packet2willoverwrite75bytesofpacket1.Ensureyoureassembledatabeforefilteringit,andensureyouexplicitlyhandlethesesortsofcases.
Justification: CommunicationismanagedcodeandthisthreatismitigatedbytheTCP/IPstack.Applicationhasnoaccesstopackets.
WEAKAUTHENTICATIONSCHEME
State: NotStarted
Priority: High
Category: InformationDisclosure
Description: Custom authentication schemes are susceptible to common weaknesses such as weakcredential changemanagement, credential equivalence, easily guessable credentials, nullcredentials,downgradeauthenticationoraweakcredentialchangemanagementsystem.Considertheimpactandpotentialmitigationsforyourcustomauthenticationscheme.
Justification: Active directory user account is required to submit requests to engine. Assuming thepasswordpolicyonactivedirectoryissufficientlystrong,thisthreatismitigated.
ELEVATIONUSINGIMPERSONATION
State: NotApplicable
Priority: High
Category: ElevationofPrivilege
Description: iCPEnginemaybeabletoimpersonatethecontextofiCPtogainadditionalprivilege.
Justification: Notpossible.
XMLDTDANDXSLTPROCESSING
State: MitigationImplemented
Priority: High
Category: Tampering
Description: IfadataflowcontainsXML,XMLprocessingthreats(DTDandXSLTcodeexecution)maybeexploited.
Justification: EngineusesproprietaryXMLprocessingthatdoesnotallowDTDorXSLTcodeexecution.
ADPROPERTIESTHREATMODELLINGREPORTADCONTACTSERVICEPLAN
PropertyKey PropertyDisplayName PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan
Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan
No
ADCONTACTSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName
TheActiveDirectoryobjectsDistinguishedName
No
AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid No
AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)
Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SELECTED_DOMAIN_CONTROLLER SelectedDomainController SelectedDomainController Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber
No
ADCONTAINERSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName
TheActiveDirectoryobjectsDistinguishedName
No
AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid No
AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)
Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber
No
ADCUSTOMERSERVICEPLAN
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers
AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers
Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SELECTED_DOMAIN_CONTROLLER_POOL SelectedDomainControllerPool
Thepreferreddomaincontroller Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode
Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan
Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan
No
ADCUSTOMERSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName
TheActiveDirectoryobjectsDistinguishedName
No
AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid
No
AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)
Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
MAX_CHILD_SUBSCRIBED_SERVICES_COUNT MaximumChildSubscribedServiceCount
Themaximumnumberofsubscribedservicesacustomercanassigntochildobjects
No
SELECTED_DOMAIN_CONTROLLER SelectedDomainController
ThepreferredDomainControllerthathasbeenassignedtothecustomer
Yes
SELECTED_LOCATION_REGION_DOMAIN_CONTROLLER SelectedLocationRegionDomainController
SelectedDomainControllerforlocationregions
Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber
No
ADDOMAINSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
ADGROUPSERVICEPLAN
PropertyKey PropertyDisplayName PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan
Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan
No
ADGROUPSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName
TheActiveDirectoryobjectsDistinguishedName No
AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid No
AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)
Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SAM_ACCOUNT_NAME SAMAccountName TheSAMAccountNameofthegroup. No
SELECTED_DOMAIN_CONTROLLER SelectedDomainController
SelectedDomainController Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
ADRESOURCEUSERSERVICEPLAN
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers
AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers
Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode
Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan No
ADRESOURCEUSERSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName
TheActiveDirectoryobjectsDistinguishedName No
AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid No
AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)
Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SAM_ACCOUNT_NAME SAMAccountName TheuniqueSAMAccountNamegiventotheuser Yes
SELECTED_DOMAIN_CONTROLLER SelectedDomainController
SelectedDomainController Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
ADUSERSERVICEPLAN
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers
AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers
Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode
Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan No
ADUSERSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
AD_OBJECT_DISTINGUISHED_NAME ADObjectDistinguishedName
TheActiveDirectoryobjectsDistinguishedName No
AD_OBJECT_GUID ADObjectGuid TheActiveDirectoryobjectGuid No
AD_OBJECT_NAME ADObjectName TheActiveDirectoryNamefortheHostingobject(normallyHosting)
Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SAM_ACCOUNT_NAME SAMAccountName TheuniqueSAMAccountNamegiventotheuser Yes
SELECTED_DOMAIN_CONTROLLER SelectedDomainController
SelectedDomainController Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
PREFERREDDOMAINCONTROLLERSYSTEMPOOLITEM
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
IS_SHARED IsShared IndicateswhethertheSystemPoolItemcanbesharedacrossmultipleentities
Yes
MAX_ITEM_WEIGHT MaxItemWeight ThemaximumaboutofresourcesvalueforthisSystemPoolItem
Yes
PRIMARY_DOMAIN_CONTROLLER PrimaryDomainController
ThepreferredDomainControllerthatwillbeusedforADcommunication
Yes
SECONDARY_DOMAIN_CONTROLLER SecondaryDomainController
ThesecondaryDomainControllerthatwillbeusedforADcommunicationiftheprimaryDomainControllercannotbecontacted
No
SYSTEM_POOL_ITEM_KEY SystemPoolItemKey
TheuniquekeyassociatedwiththeSystemPoolItem
Yes
O365PROPERTIESTHREATMODELLINGREPORTCUSTOMEROFFER
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
ENTITLEMENT_URI EntitlementUri Theentitlementuri No
OFFER_QUANTITY OfferQuantity Thequantityofseatsfortheoffer No
ORDER_ID Orderid TheIdoftheorder No
SELECTED_MS_O365_OFFER Selectedoffer SelectedOffersetforthecompany Yes
SUBSCRIPTION_ID SubscriptionId TheIdofthesubscription No
CUSTOMEROFFERADDON
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
ENTITLEMENT_URI EntitlementUri TheMicrosoftdefaultprofileIdinGraph No
OFFER_QUANTITY OfferQuantity Thequantityofseatsfortheoffer No
SELECTED_MS_O365_OFFER_ADDON SelectedofferAddon SelectedOfferaddonsetforthecompany Yes
SUBSCRIPTION_ID SubscriptionId TheIdofthesubscription No
CUSTOMERSERVICEPLAN
PropertyKey PropertyDisplayName PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers
AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers
Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
COUNTRY_CODE CountryCode Thecountrycode Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
LOCALE_CODE LocaleCode Thelocale(culture)code Yes
PROFILE_ID SelectedProfile Theprofileselectedfortheplan Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan
Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan
No
CUSTOMERSERVICEPLANOFFER
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SELECTED_MS_O365_ADDONS SelectedOfferAddons Theselectedofferaddons No
SELECTED_MS_O365_OFFER SelectedOffer Theselectedoffer Yes
CUSTOMERSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
LANGUAGE_CODE TheMicrosoftTenantlanguagecode.
TheMicrosoftTenantlanguagecode.e.g.enforEnglish.
Yes
MAX_CHILD_SUBSCRIBED_SERVICES_COUNT MaximumChildSubscribedServiceCount
Themaximumnumberofsubscribedservicesacustomercanassigntochildobjects
No
MS_O365_ADMIN_USER_PASSWORD AdminUserPassword Thepasswordfortheadminuser No
MS_O365_ADMIN_USERNAME_PREFIX AdminUsernamePrefix Theprefixfortheadminusername No
MS_O365_COMMERCE_ID MicrosoftCustomerId TheMicrosoftcustomerIdinGraph No
MS_O365_DEFAULT_PROFILE_ID MicrosoftDefaultProfileId
TheMicrosoftdefaultprofileIdinGraph
No
MS_O365_SYNC_DATE O365SyncDate Thedateandtimeofthelastsync No
MS_O365_SYNC_ERROR O365SyncError TheerrormessagegeneratedwhentheO365syncfails
No
MS_O365_SYNC_STATUS O365SyncStatus ThestatusoftheOffice365sync No
MS_O365_TENANT_DOMAIN_PREFIX TheMicrosoftTenantdomainnameprefix.
TheMicrosoftTenantdomainnameprefix.
No
MS_O365_TENANT_ID MicrosoftTenantId TheMicrosofttenantIdinGraph No
SELECTED_MS_O365_PARTNER_PROFILE SelectedCSPPartnerProfile
SelectedCSPPartnerProfileforthecustomer
Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber
No
DOMAINSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
AUTHENTICATION_TYPE AuthenticationType Theauthenticationtype Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
VERIFICATION_METHOD VerificationMethod TheverificationMethod Yes
GROUPSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
MAIL_ENABLED Groupismailenabled Groupismailenabled. Yes
MAIL_NICKNAME TheMicrosoftgroupmailnickname.
TheMicrosoftgroupmailnickname. Yes
MICROSOFT_OBJECT_ID MicrosoftObjectId TheMicrosoftobjectIdinGraph No
SECURITY_ENABLED Groupissecurityenabled Groupissecurityenabled. Yes
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
USEROFFER
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISABLED_MS_O365_OFFER_USER_SERVICES Disableduserservices Thedisableduserservices No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SELECTED_MS_O365_OFFER Selectedoffer SelectedOffersetforthecompany Yes
OFFERADDON
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SELECTED_MS_O365_OFFER_ADDON SelectedofferAddon SelectedOfferaddonsetfortheuser Yes
USERSERVICEPLAN
PropertyKey PropertyDisplayName PropertyDescription IsRequired
ASSIGNED_LOCATION_REGION SelectedLocationRegion Thelocationregionassignedtotheuser No
AUTO_ADD_TO_ROOT_CUSTOMERS AutoAddToRootResellers
AutoAddToRootCustomers Yes
AUTO_ADD_TO_ROOT_RESELLERS AutoAddToRootResellers
Indicatesiftheserviceplanshouldbeautomaticallyaddedtoarootresellers
Yes
BILLING_PRODUCT_CODE BillingProductCode Theproductcodethatcanrelatetoa3rdpartybillingpackage
No
COUNTRY_CODE CountryCode Thecountrycode Yes
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
LOCALE_CODE LocaleCode Thelocale(culture)code Yes
PROFILE_ID SelectedProfile Theprofileselectedfortheplan Yes
SERVICE_PLAN_BILLING_MODE ServicePlanBillingMode Thebillingmodeoftheserviceplan Yes
SERVICE_PLAN_KEY ServicePlanKey TheuniquekeyassociatedwiththeServicePlan
Yes
SPLA_DESCRIPTION SPLADescription ThedescriptionoftheSPLA No
SPLA_NUMBER SPLANumber TheSPLANumberassociatedwiththeServicePlan
No
USERSERVICEPLANOFFER
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISABLED_MS_O365_OFFER_USER_SERVICES Disableduserservices Thedisableduserservices No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
SELECTED_MS_O365_ADDONS SelectedOfferAddons Theselectedofferaddons No
SELECTED_MS_O365_OFFER SelectedOffer Theselectedoffer Yes
SUBSCRIBER_EDITABLE SubscriberEditable Allowsubscribertochangeselectedaddonsanduserservices.
Yes
USERSUBSCRIBEDSERVICE
PropertyKey PropertyDisplayName PropertyDescription IsRequired
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
MAIL_NICKNAME TheMicrosoftusermailnickname.
TheMicrosoftusermailnickname. Yes
MICROSOFT_OBJECT_ID MicrosoftObjectId TheMicrosoftobjectIdinGraph No
MICROSOFT_PASSWORD Passwordforthenewuser.
Thepasswordforthenewuser No
SERVICE_PLAN_KEY ServicePlanKey Theserviceplankeyassignedtothesubscriber No
SUBSCRIBERPROPERTIESTHREATMODELLINGREPORTCONTACT
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
CITY City City No
COMPANY_NAME CompanyName Thenameofthecompanythecontactbelongsto No
CONTACT_NAME ContactName Thenameofthecontact -1
COUNTRY Country Country No
COUNTRY_CODE CountryCode CountryCode No
DEFAULT_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DEPARTMENT Department Department No
DESCRIPTION Description Thedescriptionoftheentity No
DIRECT_REPORTS DirectReports DirectReports No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
EMAIL Email Email No
EXTENSION_ATTRIBUTE_2 ExtensionAttribute2 TheADExtensionAttribute2Property No
EXTENSION_ATTRIBUTE_3 ExtensionAttribute3 TheADExtensionAttribute3Property No
EXTENSION_ATTRIBUTE_4 ExtensionAttribute4 TheADExtensionAttribute4Property No
EXTENSION_ATTRIBUTE_5 ExtensionAttribute5 TheADExtensionAttribute5Property No
FAX Fax Fax No
FIRST_NAME FirstName FirstName No
HOME_PHONE HomePhone HomePhone No
INITIALS Initials Initials No
IP_PHONE IPPhone IPPhone No
LAST_NAME LastName LastName No
MANAGER Manager Manager No
MOBILE_PHONE MobilePhone MobilePhone No
NOTES Notes Notes No
OFFICE Office Office No
PAGER Pager Pager No
PARENT_COMPANY_CONTAINER ParentCompanyContainer
Theparentcompanycontainer No
SECURITY_ROLE_SCOPE SecurityRoleScope Thesecurityscopeforthegivensubscriber No
STATE State State No
STREET Street Street No
SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys
Theservicekeysthesubscriberissubscribedto No
TITLE Title Title No
WEB_PAGE WebPage WebPage No
WORK_PHONE WorkPhone WorkPhone No
ZIPCODE ZipCode ZipCode No
CUSTOMER
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
AFFILIATED_RESELLER AffiliatedReseller Thenameoftheaffiliatedreseller No
ALLOW_USERS_ADMIN_RIGHTS Allowusersadministrationrights
Tellsthesystemifusers(notadmins)inthecompanyareallowedtousethecontrolpanel
No
ALLOW_USERS_CHANGE_GROUP AllowusersChangeGroupMembership
Tellsthesystemifusers(notadmins)inthecompanyareallowedtochangegroupmembership
No
ALLOW_USERS_CHANGE_PASSWORD Allowuserschangepassword
Tellsthesystemifusers(notadmins)inthecompanyareallowedtochangetheirownpassword
No
ALLOW_USERS_CHANGE_PLAN AllowusersChangePlan
Tellsthesystemifusers(notadmins)inthecompanyareallowedtochangeplansettingsforthemselves
No
BUSINESS_SECTOR BusinessSector Thebusinesssectorthecustomerbelongstoo Yes
CHALLENGE_QUESTION_REQUIRED ChallengeQuestionRequired
Tellsthesystemifusers(notadmins)inthecompanyarerequiredtohaveachallengequestion
No
CITY City City No
CONTACT_EMAIL ContactEmail Theemailaddressofthemaincontactforthecompany
No
CONTACT_NAME Contactname TheCNnameofthemaincontactforthecompany
No
CONTACT_PHONE ContactPhone Thephonenumberofthemaincontactforthecompany
No
COUNTRY Country Country No
COUNTRY_CODE CountryCode Thecountrycodeofthecustomersaddress No
CULTURE_CODE Culturecode Theculturecodeassignedtothiscompany Yes
CUSTOMER_ACCOUNT_NUMBER CustomerAccountNumber
Anexternalaccountnumberforthecustomertotieinwith3rdpartysystems
No
CUSTOMER_CODE CustomerCode UniqueCodeofthecustomer Yes
DEFAULT_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
PASSWORD_STRENGTH PasswordStrength Thepasswordstrengththatisenforcedforthecompany
No
REASON_FOR_CANCEL ReasonforCancel Thereasongivenforcancellingservice No
SALES_PERSON SalesPerson Thenameofthesalesperson No
SECURITY_ROLE_SCOPE SecurityRoleScope Thesecurityscopeforthegivensubscriber No
SIGNUP_DOMAIN ResellerSignupdomain
Thedomainthecustomerenteredintothesystemthrough(theresellersdomain)
Yes
STATE State State No
STREET Street Street No
SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys
Theservicekeysthesubscriberissubscribedto No
TRIAL_ACCOUNT TrialAccount Tellsthesystemifthiscustomerisatrial(Demo)customer
Yes
TRIAL_END_DATE TrialEndDate Thedatethetrialserviceisover No
TWO_STEP_AUTH_REQUIRED TwoStepAuthorizationRequired
Tellsthesystemiftwostepauthorizationisrequired.
Yes
ZIPCODE ZipCode ZipCode No
DOMAIN
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
DEFAULT_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
DNS_HOST DNSHOST DNSHosterthattheDNSisstoredat No
DOMAIN_NAME DomainName Thenameofthedomain Yes
IS_SHARED IsShared Ifthisisashareddomain Yes
MAIL_IP_ID MailIPID MailIPID No
OWA_SUB_DOMAIN OWASubdomain OWASubdomainentrypointintothesystem No
REGISTRAR Registrar Registrar No
SUB_DOMAIN Subdomain Subdomainentrypointintothesystem. No
SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys
Theservicekeysthesubscriberissubscribedto No
WWW_IP_ID Subdomain Subdomain No
GROUP
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
AUTOMATIC_USER_MEMBERSHIP AutomaticUsermembership
Automaticallyaddsanewusertothegroupsmembership
Yes
DEFAULT_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DESCRIPTION Description Thedescriptionoftheentity No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
EMAIL Email Email No
EXTENSION_ATTRIBUTE_2 ExtensionAttribute2 TheADExtensionAttribute2Property No
EXTENSION_ATTRIBUTE_3 ExtensionAttribute3 TheADExtensionAttribute3Property No
EXTENSION_ATTRIBUTE_4 ExtensionAttribute4 TheADExtensionAttribute4Property No
EXTENSION_ATTRIBUTE_5 ExtensionAttribute5 TheADExtensionAttribute5Property No
GROUP_NAME GroupName Thenameofthegroup Yes
GROUP_SCOPE GroupScope Thescopeofthegroup Yes
GROUP_TYPE GroupType Thetypeofthegroup Yes
MANAGED_BY ManagedBy Themanagerofthegroup No
PARENT_COMPANY_CONTAINER ParentCompanyContainer
Theparentcompanycontainer No
SECURITY_ROLE_SCOPE SecurityRoleScope Thesecurityscopeforthegivensubscriber No
SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys
Theservicekeysthesubscriberissubscribedto No
RESOURCEUSER
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
ASSIGNED_SECURITY_ROLE_GROUP AssignedSecurityRoleGroup
Thesecuritygroupforthegivenuser No
CHALLENGE_MESSAGE ChallengeMessage ChallengeMessage No
CHALLENGE_RESPONSE ChallengeResponse ChallengeResponse No
CITY City City No
COMPANY_NAME CompanyName Thecompanyauserisassociatedwith No
COUNTRY Country Country No
COUNTRY_CODE CountryCode CountryCode No
DEFAULT_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DEMO_ACCOUNT DemoAccount TellsthesystemifthisuserisaDemouser,nottobebilled
Yes
DEPARTMENT Department Department No
DESCRIPTION Description Thedescriptionoftheentity No
DIRECT_REPORTS DirectReports DirectReports No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
EMAIL Email Email No
EXTENSION_ATTRIBUTE_2 ExtensionAttribute2 TheADExtensionAttribute2Property No
EXTENSION_ATTRIBUTE_3 ExtensionAttribute3 TheADExtensionAttribute3Property No
EXTENSION_ATTRIBUTE_4 ExtensionAttribute4 TheADExtensionAttribute4Property No
EXTENSION_ATTRIBUTE_5 ExtensionAttribute5 TheADExtensionAttribute5Property No
FAX Fax Fax No
FIRST_NAME FirstName FirstName No
HOME_PHONE HomePhone HomePhone No
INITIALS Initials Initials No
IP_PHONE IPPhone IPPhone No
LAST_NAME LastName LastName No
MANAGER Manager Manager No
MOBILE_PHONE MobilePhone MobilePhone No
NOTES Notes Notes No
OFFICE Office Office No
PAGER Pager Pager No
PARENT_COMPANY_CONTAINER ParentCompanyContainer
Theparentcompanycontainer No
PASSWORD_NEVER_EXPIRES PasswordNeverExpires
Theuserspasswordneverexpires Yes
RESOURCE_USER_TYPE ResourceUserType Thetypeofresourceuser Yes
SECURITY_ROLE_SCOPE SecurityRoleScope Thesecurityscopeforthegivensubscriber No
STATE State State No
STREET Street Street No
SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys
Theservicekeysthesubscriberissubscribedto No
TITLE Title Title No
UNLOCK_ACCOUNT UnlockAccount Indicatesiftheusersaccountshouldbeunlocked
Yes
USER_CANNOT_CHANGE_PASSWORD UserCannotChangePassword
Theusercannotchangetheirpassword Yes
USER_MUST_CHANGE_PASSWORD UserMustChangePassword
Theusermustchangetheirpassword Yes
USER_PASSWORD UserPassword Theuserspassword No
USER_PRINCIPAL_NAME UserPrincipalName TheuniqueUPNgiventotheuser Yes
USER_ROLE_KEY UserRoleKey Thesecurityroleassignedtotheuser Yes
WEB_PAGE WebPage WebPage No
WORK_PHONE WorkPhone WorkPhone No
ZIPCODE ZipCode ZipCode No
USER
PropertyKey PropertyDisplayName
PropertyDescription IsRequired
ASSIGNED_SECURITY_ROLE_GROUP AssignedSecurityRoleGroup
Thesecuritygroupforthegivenuser No
CHALLENGE_MESSAGE ChallengeMessage ChallengeMessage No
CHALLENGE_RESPONSE ChallengeResponse ChallengeResponse No
CITY City City No
COMPANY_NAME CompanyName Thecompanyauserisassociatedwith No
COUNTRY Country Country No
COUNTRY_CODE CountryCode CountryCode No
DEFAULT_LOCATION_REGION SelectedLocationRegion
Thelocationregionassignedtotheuser No
DEMO_ACCOUNT DemoAccount TellsthesystemifthisuserisaDemouser,nottobebilled
Yes
DEPARTMENT Department Department No
DESCRIPTION Description Thedescriptionoftheentity No
DIRECT_REPORTS DirectReports DirectReports No
DISPLAY_NAME DisplayName Thedisplaynamefortheentity Yes
EMAIL Email Email No
EXTENSION_ATTRIBUTE_2 ExtensionAttribute2 TheADExtensionAttribute2Property No
EXTENSION_ATTRIBUTE_3 ExtensionAttribute3 TheADExtensionAttribute3Property No
EXTENSION_ATTRIBUTE_4 ExtensionAttribute4 TheADExtensionAttribute4Property No
EXTENSION_ATTRIBUTE_5 ExtensionAttribute5 TheADExtensionAttrubute5Property No
FAX Fax Fax No
FIRST_NAME FirstName FirstName No
HOME_PHONE HomePhone HomePhone No
INITIALS Initials Initials No
IP_PHONE IPPhone IPPhone No
LAST_NAME LastName LastName No
MANAGER Manager Manager No
MOBILE_PHONE MobilePhone MobilePhone No
NOTES Notes Notes No
OFFICE Office Office No
PAGER Pager Pager No
PARENT_COMPANY_CONTAINER ParentCompanyContainer
Theparentcompanycontainer No
PASSWORD_NEVER_EXPIRES PasswordNeverExpires
Theuserspasswordneverexpires Yes
SECURITY_ROLE_SCOPE SecurityRoleScope Thesecurityscopeforthegivensubscriber No
STATE State State No
STREET Street Street No
SUBSCRIBED_SERVICE_KEYS SubscribedServiceKeys
Theservicekeysthesubscriberissubscribedto No
TITLE Title Title No
UNLOCK_ACCOUNT UnlockAccount Indicatesiftheusersaccountshouldbeunlocked
Yes
USER_CANNOT_CHANGE_PASSWORD UserCannotChangePassword
Theusercannotchangetheirpassword Yes
USER_MUST_CHANGE_PASSWORD UserMustChangePassword
Theusermustchangetheirpassword Yes
USER_PASSWORD UserPassword Theuserspassword No
USER_PRINCIPAL_NAME UserPrincipalName TheuniqueUPNgiventotheuser Yes
USER_ROLE_KEY UserRoleKey Thesecurityroleassignedtotheuser Yes
WEB_PAGE WebPage WebPage No
WORK_PHONE WorkPhone WorkPhone No
ZIPCODE ZipCode ZipCode No
INFORMATIONSTORAGEWHATINFORMATIONISSTOREDiCPstorealmostidenticaldataforanonpremisesystem(e.g.Skype,ActiveDirectory,etc.)asforoffice365.Thisincludesthingslikecompanyanduserproperties(names,addresses,etc.),settingsforaspecificservice,groupmembership,etc.
Ifthedataissensitive,suchaspasswords,itisencryptedinourdatabaseasstandard.Important:anydataentitypropertycanbeencrypteduponrequest.
ForOffice365specifically,iCPalsostoreentitlementssuchaswhatsubscriptionsthecustomerhas,numberoflicensespersubscription,wholicensesareassignedto,thedetailsofofferings,andtheserviceplancomponentsofagivenoffer.Office365itselfstoresalotofdata,butthatisoutofiCPscope.
WHEREISINFORMATIONSTOREDAlloffice365specificdataisstorediniCPMicrosoftSQLServerEntitiesdatabase.Thesystemasawholestoresdata either in Entities database or in the Configuration database. There is a small amount of system levelinformationstoredinXMLconfigurationfilesandinsomesecuredregistrysettings.Finally,ifusingiCPDirSyncsolution,ADchangesaretemporarystoredinanadditionalSQLdatabaseuntilthosechangesaresync’dtoiCPsystem.
HOWLONGISINFORMATIONSTOREDInformationisstored“indefinitely”asevendeletedobjectsaresimplyflaggedasdeletedandkeptintheEntitiesDB.ThiscanbeadjustedandcontrolledfurtherbyClientITadministration.
AsmentionedearliertheDirSyncdatabaseonlykeepsdatauntilthesynchronizationiscomplete.
HOWACCESSIBLEISINFORMATIONThedataisonaback-endSQLServer,on-premiseandwithintheClientnetwork.Ithasverylimitedaccess,andthe database itself is secured with a service account password and data access is performed via storedprocedures.
WHOCANACCESSINFORMATIONAllotheraccessisviaeithertheiCPorAPIsthatrequireauthentication.Usersarealsolimitedinwhattheycandoviatheirsecurityrolesuchasanadministratororastandarduser.(DefinedbyClient).
ADMINISTRATIONLAYERSThisreferstoasecuritymodelthatidentifiestherightsofeachactor(e.g.user/role)withrespecttoobjects/datastorediniCP.Thishasbeencharacterizedfromahigh-levelaboveandinthethreatmodel.
iCP version 7.0 is in development roadmap and iPortalis are adding increased control measures aroundauthorizationanduserroles.TheiCPcurrentmodelconsistsof:
• DomainAdmin• HostingAdmin• HostingCSR• ResellerAdmin• ResellerCSR• CompanyAdmin• CompanyUser