A healthcare customer had a security incident and in response has implemented a Corrective Action to reduce the risk of command and control of its servers by unauthorized users. As part of the CA installation or use of any application which executes user-editable scripts, user-directed commands or launches user-specified third-party applications and doesn't also implement strong authentication, authorization and non-repudiation auditing is not allowed. Advice is requested on how to limit the functionality of the PowerAdmin satellite to that of "monitor and report" -- remove the ability to execute scripts, run command-line functions and launch any application not required for PowerAdmin to function. The customer's security team must be able to detect that the abilities are disabled and, if needed, enable the "Monitor and Report" mode on the server running the PA satellite. Additionally, the "Monitor and Report" mode must be persistent and not affected by reinstallation of the PowerAdmin satellite, change of the satellite id and unable to be overridden from the central console. Ideally, the solution would be as simple and elegant as presence or value of a registry key similar to how HTTPS tunnels may be blocked. In closing, I suspect the need for the "Monitor and Report" mode will only increase as more customers begin adopting more stringent policies |
That's a very interesting use case. Sort of a read-only mode. That would mean disabling: Monitors:
Actions:
I'm guessing this is a scenario where the server is being monitored by an MSP who uses PA Server Monitor, and that's why they don't want the setting to be overridden by the Central Server. Is that true? |