TUCoPS :: Windows Apps :: dental.htm

Exact Dental practice management system networking insecure defaults 
Vulnerability

    Exact Dental

Affected

    Infocure "Exact Dental" Practice Management System

Description

    'Dixieland' found following.   Although painfully obvious to  even
    intermediate users, Dixie could not allow himself to not pass this
    information along  to the  public so  that at  least a  handful of
    doctor's offices might be more secure.

    "Exact Dental" is a practice management system for dental  offices
    that tracks  typical data  such as  patient databases, appointment
    schedules,  and  financial  information  (billing and accounting).
    The Exact Dental software  was originally distributed by  National
    Data Corp.   Currently it  the software  is property  of Infocure.
    When offices grew and users requested a way to work with  multiple
    systems, the ability  to leverage MS  Windows networking was  used
    in a manner that client  workstations could communicate via a  LAN
    and the Exact Dental system would use mapped shares to direct data
    and communication.

    It is the policy of Infocure to recommend that users deploy  their
    Exact Dental "server" machine with  Windows 9x.  The user  is then
    directed to share the c: drive will FULL ACCESS permissions and NO
    PASSWORD.

    After much questioning back and forth, a (somewhat indignant) tech
    support representative informed that sharing the server's c: drive
    will full  access permissions  was the  only way  that they system
    would work,  since the  client software  looks for  a mapped drive
    (typically the letter K is  used) and that this mapped  drive MUST
    be the server's system drive.

    Due   to   minimal   documentation   and   anticipation   of  user
    incompetence, it  has become  the policy  of Infocure  to make the
    default configuration of  the Exact Dental  software so devoid  of
    permissions and restrictions that virtually no one will  encounter
    difficulty using the system.

    Client workstations look  to deposit data  on a network  resource.
    These  network  resources  are  specified  in  the  exact.ini file
    (installed   to   c:\windows   on   client   machines)   as  being
    "K:\NDCDENT\..."  Inasmuch as  the client anticipates that  the k:
    drive is a  mapping of the  server's c: drive,  one needs only  to
    realize  that  the  Exact   Dental  software  (which  resides   in
    c:\NDCDent on the server)  does not need a  full path and a  share
    compromising security on the server to function.  A relative  path
    works fine.

Solution

    Do NOT  share the  c: drive  on the  server in  any way.  Instead,
    share  the  "NDCDENT"  directory  on  the  server computer.  (Full
    access permissions are  required for the  clients to deposit  data
    correctly, but username/password or password-protected shares  can
    easily  be  used).   Modification  of  the  EXACT.INI  file on the
    clients is necessary to direct  the client software to the  proper
    path (essentially, change all lines reading  "K:\NDCDENT\DIR_NAME"
    to "K:\DIR_NAME" and the system works very well).

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH