This section discusses several specific topics useful in implementing a more secure Dell OpenManage IT Assistant installation. IT Assistant leverages HTTPS for secure communications, as well as the Microsoft® Active Directory® for role-based access.
For detailed information on security across the Dell OpenManage platform, including IT Assistant, see the Dell OpenManage Installation and Security User's Guide.
TCP/IP Packet Port Security
A TCP/IP packet communicates a request to a target system. Encoded within this packet is a port number that is associated with a specific application. IT Assistant is accessed by specifying https://<hostname>:<portnumber>. Using https requires the application being used to encrypt the data according to the Secure Socket Layer (SSL) specification so that it is not possible for an observer to pick up and read sensitive information such as passwords by watching packets on the network. User are then authenticated through the IT Assistant login page and their credentials checked against whatever role is mapped in Active Directory or the local operating system. For information on the three roles supported by IT Assistant, see "Role-Based Access Security Management."
NOTE: The IT Assistant user interface communicates with the IT Services Tier over port 2607.
Securing Managed Desktops, Laptops, and Workstations
Securing the Managed System's Operating System
The first step in promoting a secure network environment is to ensure that all managed system operating systems are running the most current service pack and/or any additional critical security hotfixes. To simplify this process, Microsoft has introduced Software Update Services. See the Microsoft website for more details. Perform similar updates for other managed systems' operating systems as well.
Session Time-out
An IT Assistant UI session can be configured to time-out after a defined period of inactivity. To configure the session time-out interval, click Preferences on the top IT Assistant navigation bar and choose Web Server Properties. You can either disable session time-out altogether, or allow for up to 30 minutes of inactivity.
NOTE: If the data communication channel between the IT Assistant user interface and the Web server is active
due to any asynchronous updates such as performance monitoring tasks, discovery of devices, status polling, and
so on, the user session will not time-out even if session time-out is enabled.
ASF and the SNMP Protocol
A final security consideration, starting with Dell™ OptiPlex™ GX260 systems, is the support for the Alert Standard Format (ASF) for integrated Network Interface Controller (NIC). ASF issues Platform Event Traps (PET) corresponding to system health and security issues. Since these traps are supported by the SNMP protocol, the managed system NIC must be configured with the IP address and community string of the management station running IT Assistant.
In summary, to successfully and securely manage desktops, laptops, and workstations per the security measures introduced in the paragraphs above, system administrators should adhere to the following best practices:
Ensure that the operating system is up-to-date with the most recent operating system security patches.
For ASF-capable desktops, either disable ASF or implement SNMP community names that cannot be easily guessed.
Securing Managed Server Systems
Securing the Managed System's Operating System
As with desktops and workstations, the first step in securing a server is to ensure that it is running with the most current service pack and appropriate critical hot fixes installed. Microsoft Software Update Services, mentioned in the previous section, also applies to Microsoft Windows® 2000 and Windows Server® 2003 servers. Similar services should be checked for Red Hat® Linux and SUSE® Linux Enterprise Server.
Choosing the Most Secure Managed System Server Protocol
Dell OpenManage Server Administrator, the current Dell server instrumentation software, uses the SNMP and CIM protocols, which can be configured during a custom install.
CIM Monitoring, DCOM, and Windows Authentication
The CIM protocol, which uses DCOM security, leverages Windows challenge/response (user name/password) authentication. In addition, communication with the managed system is established through the domain/user name/password accounts specified in each of the configured IT Assistant discovery ranges. The format for these accounts is <domain name>\<user name>orlocalhost\<user name>.
NOTE: WMI security can be changed with utilities such as dcomcnfg.exe, wmimgmt.msc, and wbemcntl.
However, due to the potential for undesired side effects, implementing changes through these methods is not
recommended. See the Microsoft website for more information.
NOTE: Even in environments that intend to use only CIM for monitoring, SNMP is typically enabled because Server
Administrator only provides error notification using SNMP traps.
Security and the SNMP Protocol
There are several actions that can be taken to better secure environments using the SNMP protocol. Although the following samples refer to Microsoft Windows operating systems, similar steps can be performed for the Red Hat Enterprise Linux and SUSE Linux Enterprise Server operating systems. By default, when SNMP is installed, the community name is set to public. This character string should be treated like a password and similar rules should be used in its selection—a string of adequate length, not easily guessed, and preferably consisting of mixed letters and numbers. In Windows operating systems, the SNMP community name can be configured through the Security tab of the SNMP services Property dialog box.
As a secondary precaution, SNMP should also be set to ReadOnly to prevent unauthorized configuration and control actions. This can also be enforced by using snmpsets=no option when installing Server Administrator. It would still be possible to make those changes through the user interface or Command Line Interface (CLI) of Server Administrator. In addition, it is also possible to configure the SNMP service to accept requests only from a particular server (in this case, the system running IT Assistant). This too can be configured on the Windows Security tab referenced previously by selecting the radio button labeled Accept SNMP packets from these hosts and then clicking Add to enter the IP address or name of the system running IT Assistant. See your operating system documentation for more details.
NOTE: To ensure that all the systems are properly configured, it is recommended that you use tools such as Group
Policies in Active Directory to enforce these SNMP settings.
As a final security step, Server Administrator should be configured to deny access to user and possibly power user accounts, thereby limiting access to administrator accounts only. This can be done through the Server Administrator top navigation bar by selecting Preference and then unchecking the UserAccess boxes.
NOTE: You can also limit user access using the Server Administrator CLI command omconfig preferences
useraccess enable=admin.
See the Dell OpenManage Server Administrator Command Line Interface User's Guide on the Dell Support website at support.dell.com or on the documentation CD for more information.
In summary, to successfully and securely manage servers per the security measures introduced here, system administrators should adhere to the following best practices:
Ensure that the operating system is up-to-date with the most recent operating system security patches.
Implement SNMP community names that cannot be easily guessed.
Configure SNMP to be Read Only to limit configuration, update, and power control to Server Administrator only.
Configure SNMP to accept requests only from the IP address of the system running IT Assistant.
Use tools such as Group Policies in Active Directoryto enforce the SNMP settings for all servers to be managed.
Configure Server Administrator to deny user level access.
Ensuring Database Security When Using IT Assistant
If no Microsoft SQL Server database is detected when IT Assistant is installed, the process installs a copy of SQL Server 2005 Express, which is set to an authentication mode of trusted or Windows only. However, other applications that may have previously installed MSDE or SQL Server, including previous versions of IT Assistant, frequently chose either an authentication mode of SQL or mixed mode, which allows SQL Server to manage its own user IDs and passwords. In the case of early versions of IT Assistant, the supervisor account password was set to either null or dell. At a minimum, decrease the exposure to a network break-in by changing these passwords to strings that correspond to the best practices mentioned previously. A better option is to change the database authentication mode to trusted or Windows only.
Running IT Assistant Behind a Firewall
Figure 10-1 illustrates a typical installation in which both IT Assistant and the systems being managed reside behind a firewall. The firewall denies passage to traffic on specified ports between the protected network and the rest of the world while still allowing an administrator to communicate freely with both IT Assistant and the managed system.
Typical security for the system running IT Assistant in an environment behind a firewall includes the following:
Use trusted accounts instead of named or mixed for the database.
Limit user interface connections to a known system.
Figure 10-1. Typical Installation Behind a Firewall
Setting Up Additional Security for IT Assistant Access
So far in this section, security has been addressed with respect to the existing TCP/IP connection between IT Assistant and the managed system. In addition to these security precautions, Microsoft Terminal Services, which allows uncharted remote connection only by users with administrator accounts (administrative mode), can also be used to limit user interface connections to a system running IT Assistant user interface and Services. An example of a network which leverages Terminal Services is shown in Figure 10-2.
Figure 10-2. Using Terminal Services for Additional Security
In Figure 10-2, a user may connect to the IT Assistant management station through a locally installed Terminal Services client or Windows XP Remote Desktop connection. This connection requires a valid domain/user ID/password. See Microsoft's website for more information.
The additional level of security is derived by setting up restrictions on all managed systems to only accept SNMP traffic from the IP address of the system running the IT Assistant user interface ([UI] the network management station). Terminal Services and Remote Desktop sessions emulate traffic coming directly from the network management station; therefore, access to IT Assistant is restricted only to Terminal Services clients or a local network management station user. Any other connection, such as another remote IT Assistant UI installation, would be unable to effectively communicate with properly configured managed systems in the network since traffic identified as originating from a system other than the network management station would be refused.
NOTE: Terminal Services is an optional component of Microsoft Windows 2000 and
Microsoft Windows Server 2003 that can be installed in either admin or application mode.
NOTE: When Terminal Services is installed in administrative mode, up to two users can log in as long as they are
members of the administrators group. When Terminal Services is installed in application mode, non-administrator
groups can log in and more than two sessions are supported. However, application mode installation has additional
licensing implications. When installing IT Assistant on a system running Terminal Services in application mode, the
installation must be performed locally and not through a terminal session.
Securing Ports for IT Assistant and Other Supported Dell OpenManage Applications
Securing port 2607 of the IT Assistant Services Tier and ports 1311, 623, 161, and 162 of the managed system can be done using IP Security (IPSec). To list ports that are currently running on your server, you can use the command netstat -an from a command prompt to show the status of all ports on your system. The results of this command should indicate that the IT Assistant management station should only accept a connection on port 2607 from the server hosting the IT Assistant UI (which would be connected through Terminal Services). Similarly, the managed systems should be configured to accept connections through ports 1311, 161, and 162 from the management station.
Single Sign-On
The Single Sign-On option on Windows systems enables all logged-in users to bypass the login page and access IT Assistant by clicking the IT Assistant icon on the desktop. The desktop icon queries the registry to see if the Automatic Logon with current username and password option is enabled in Internet Explorer. If this option is enabled, then Single Sign-On is executed; otherwise, the normal login page will be displayed. NT LAN Manager (NTLM) authentication must not be disabled on the Windows network.
To enable the Automatic Logon with current username and password option, perform the following steps in Internet Explorer:
Click Internet Options on the Tools menu.
Click the Security tab
Select the security zone that the IT Assistant system falls within, that is, Trusted sites and click
Custom Level.
In the Security Setting dialog-box, under User Authentication, select the Automatic Logon with
current username and password.
Click OK twice, and restart Internet Explorer.
For local system access, you must have an account on the system with the correct privileges (User, Power User, or Administrator). Other users are authenticated against Microsoft Active Directory.
To launch IT Assistant using Single Sign-on authentication against Microsoft Active Directory, the following parameters must be set:
IT Assistant provides security through role-based access control (RBAC), authentication, and encryption.
Role-Based Access Control
RBAC manages security by determining the operations that can be executed by persons in particular roles. Each user is assigned one or more roles, and each role is assigned one or more user privileges that are permitted to users in that role. With RBAC, security administration corresponds closely to an organization's structure.
User Privileges
IT Assistant grants different access rights based on the user's assigned group privileges. The three user levels are: User, Power User, and Administrator.
Users have read-only access to all IT Assistant information.
Power Users can create tasks for immediate execution. They cannot modify discovery configuration settings, modify alert management settings, or schedule or delete tasks.
Administrators can perform all IT Assistant tasks and functions.
Microsoft Windows Authentication
For supported Windows operating systems, IT Assistant authentication is based on the operating system's user authentication system using Windows NT® LAN Manager (NTLM) modules to authenticate. This underlying authentication system allows IT Assistant security to be incorporated in an overall security scheme for your network.
Assigning User Privileges
You do not have to assign user privileges to IT Assistant users before installing IT Assistant.
The following procedures provide step-by-step instructions for creating IT Assistant users and assigning user privileges for Windows operating system:
NOTICE: You should disable guest accounts for supported Microsoft Windows operating systems in order to
protect access to your critical system components. See "Disabling Guest and Anonymous Accounts"
for instructions.
Creating IT Assistant Users for Supported Windows Operating Systems
NOTE: You must be logged in with Admin privileges to perform these procedures.
Creating Users and Assigning User Privileges for Supported Windows 2000 and Windows Server® 2003 Operating Systems
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions,
see your operating system documentation.
Click the Start button, right-click My Computer, and point to Manage.
In the console tree, expand Local Users and Groups, and then click Users.
Click Action, and then click New User.
Type the appropriate information in the dialog box, select or clear the appropriate check boxes, and
then click Create.
You must assign a password to every user account that can access IT Assistant to protect access to your critical system components. Additionally, users who do not have an assigned password cannot log in to IT Assistant on a system running Windows Server 2003 due to operating system constraints.
NOTE: Do not use double or single quotes in passwords.
In the console tree, under Local Users and Groups, click Groups.
Click the group to which you want to add the new user: Users, Power Users, or Administrators.
Click Action, and then click Properties.
Click Add.
Type the user name that you are adding and click Check Names to validate.
Click OK.
New users can log in to IT Assistant with the user privileges for their assigned group.
Adding Users to a Domain
NOTE: For questions about creating users and assigning user group privileges or for more detailed instructions,
see your operating system documentation.
NOTE: You must have Active Directory installed on your system to perform the following procedures.
Click the Start button, and then point to Control Panel→ Administrative Tools→ Active Directory
Users and Computers.
In the console tree, right-click Users or right-click the container in which you want to add the new user,
and then point to New→ User.
Type the appropriate user name information in the dialog box, and then click Next.
You must assign a password to every user account that can access IT Assistant to protect access to your critical system components. Additionally, users who do not have an assigned password cannot log into IT Assistant on a system running Windows Server 2003 due to operating system constraints.
NOTE: Do not use double or single quotes in passwords.
Click Next, and then click Finish.
Double-click the icon representing the user you just created.
Click the Member of tab.
Click Add.
Select the appropriate group and click Add.
Click OK, and then click OK again.
New users can log in to IT Assistant with the user privileges for their assigned group and domain.
Disabling Guest and Anonymous Accounts
NOTE: You must be logged in with Administrator privileges to perform this procedure.
If your system is running Windows Server 2003, click the Start button, right-click My Computer, and
point to Manage. If your system is running Windows 2000, right-click My Computer and point
to Manage.
In the console tree, expand Local Users and Groups and click Users.
Click the Guest or IUSR_system name user account.
Click Action and point to Properties.
Select Account is disabled and click OK.
A red circle with an X appears over the user name. The account is disabled.
