none
ZTIGather.log - On webservice calls NAA credentials are logged clear text RRS feed

  • Question

  • Hello

    This problem with ConfigMgr/MDT has been around for a while. With variables like SMSTSReserved1/2 and storing the passwords clear text.

    In my scenario the NAA credentials are being used for connections or any MDT access.

    When I do a webservice call GET the ZTIGather.log is logging all the necessary stuff to make this sort of a security risk.

    For example:
    CHECKING the [CallWebservice] section
    Property UserDomain is now = DOMAIN

    Property UserID is now = USERNAME

    Property UserPassword is now = CLEARTEXTPASSWORD

    Does someone has a good idea at least how to avoid this log from being written in ZTIGather.log which is afterwards copied to CCM Logs?

    Many thanks.

    Thursday, January 26, 2017 8:37 AM

Answers

  • The MDT logging routines will block writing any line with the string "password"

    In the example above, you have a line with:

    Property UserPassword is now = CLEARTEXTPASSWORD
    

    Which should be filtered out because it has the string "UserPassword"

    Note that this behavior is turned off on some builds of MDT if you have Debug=true. You should not be running Debug=True in production, for internal testing only.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, February 2, 2017 1:04 AM
    Moderator

All replies

  • The MDT logging routines will block writing any line with the string "password"

    In the example above, you have a line with:

    Property UserPassword is now = CLEARTEXTPASSWORD
    

    Which should be filtered out because it has the string "UserPassword"

    Note that this behavior is turned off on some builds of MDT if you have Debug=true. You should not be running Debug=True in production, for internal testing only.


    Keith Garner - Principal Consultant [owner] - http://DeploymentLive.com

    Thursday, February 2, 2017 1:04 AM
    Moderator
  • Many thanks Keith,

    This is correct the debug was left within parameters.

    Thursday, February 2, 2017 12:28 PM