Any user who successfully authenticates to OpenEdge Management can gain access to a wide range of AdminServer plugins. These plugins execute with the delegated authority of the AdminServer, but not the authority of the OpenEdge Management user. Executing the plugins with the elevated authority can pose significant risk to remote hosts, which is why the remote RMI is disabled by default.

However, disabling the remote RMI does not eliminate all risks. Local RMI stubs remain accessible and can be exploited by any authenticated user who lacks authorization. To mitigate this risk, Progress recommends:
  • Enforcing local access controls, including file system permissions and process-level ACLs, for the AdminServer and related components.
  • Restricting which local accounts are permitted to connect to the RMI port of AdminServer.