A healthcare customer had a security incident and in response has implemented a Corrective Action to reduce the risk of command and control of its servers by unauthorized users. As part of the CA installation or use of any application which executes user-editable scripts, user-directed commands or launches user-specified third-party applications and doesn't also implement strong authentication, authorization and non-repudiation auditing is not allowed.

Advice is requested on how to limit the functionality of the PowerAdmin satellite to that of "monitor and report" -- remove the ability to execute scripts, run command-line functions and launch any application not required for PowerAdmin to function. The customer's security team must be able to detect that the abilities are disabled and, if needed, enable the "Monitor and Report" mode on the server running the PA satellite. Additionally, the "Monitor and Report" mode must be persistent and not affected by reinstallation of the PowerAdmin satellite, change of the satellite id and unable to be overridden from the central console. Ideally, the solution would be as simple and elegant as presence or value of a registry key similar to how HTTPS tunnels may be blocked.

In closing, I suspect the need for the "Monitor and Report" mode will only increase as more customers begin adopting more stringent policies

asked 07 Jul, 18:32

IamMJ's gravatar image

IamMJ
2137
accept rate: 0%


That's a very interesting use case. Sort of a read-only mode. That would mean disabling:

Monitors:

  • Calculated Status
  • Execute Script
  • Plugin Monitor

Actions:

  • Execute Script
  • Reboot Computer
  • Start Application
  • Start, Stop or Restart Service

I'm guessing this is a scenario where the server is being monitored by an MSP who uses PA Server Monitor, and that's why they don't want the setting to be overridden by the Central Server. Is that true?

link

answered 07 Jul, 19:04

Doug's gravatar image

Doug ♦♦
10.3k122138
accept rate: 19%

Correct. While the customer stated their primary concern was user-created scripts being run without authentication and auditing, blocking all possible changes would be better as it furthers reduces the potential of an unplanned server downtime due to accidental or intentional misuse of PowerAdmin.

(21 Jul, 11:35) IamMJ
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×18
×4
×2
×2

Asked: 07 Jul, 18:32

Seen: 154 times

Last updated: 21 Jul, 11:35