locking the doors, securing the appliances

Dell World 2014

Locking the Doors, Securing the Appliances

Bryan Brooks - Customer Success, and Kevin Gehrke – Technical Support November, 06, 2014

Dell WorldUser Forum

Dell World User Forum

Overview of K1000 Services, Ports, and Protocols

• Primary communications are HTTPS traffic

• Select optional protocols wisely and only when needed

• Arrows indicate direction to open the port on any firewalls


Inside the Intranet• Safest approach to deployment

• Consider keeping appliance service ports restricted to the data center

• Window for collecting inventory and deploying digital assets, including patching, is restricted to when users are present on network


Within the DMZ• Use this deployment when

serving highly mobile users

• Be more diligent when opening service ports

• Consider alternate methodsif database access is desired


Securing Web Traffic:Securing Web Protocols

• Use SSL, regardless of deployment choices

• Complete SSL configuration before deploying agents

• Up to 2048 Bit encryption issupported

• Enable SSH during configurationin the event assistance from Dell KACE Technical Support isneeded

• Use a certificate from a vendor in trusted certificate vendor list oryour organization’s Root CA certificate


Controlling Access with Access Control Lists

• Restricts access to the UserUI,AdminUI, and SystemUI to certain ranges in the network

• Restrict access to the AdminUIand SystemUI to the LANenvironment where administratorswill administer the K1000


Securing the Agent

• Open ports 443 and 52230 outboundon any local firewall

• SSL is enabled on AMP by default whenSSL is configured on the server

• Use SSL for the agent as well as the Uis

• Restrict LocalSystem administrator rights on your endpoints


Securing Replication Shares• Ensure write access to replication

shares is restricted

• Configure a Destination User andPassword for the replication sharethat is not used for other purposes

• A Destination User and Passworddoes not need to be set if the Replication Device is also the hostfor the replication share

• Ensure that the Read-Only DownloadUser and Password are not used forother purposes and are unique fromthe Destination User and Password


Replication Share Data Flow

• Deployment Choices

• HTTP vs file transfer

• Replication Device on replication share vs.Replication Device remote from replicationshare


Configuring a Proxy for Web Feeds• Reference KB article 118543 for patch download

URLs

• For geographically load-balanced services, use the Classless Internet Domain Routing (CIDR) for whitelisting


Securing Database Access• Use the onboard reporting engine to access

the database

• If external database access is desired, configure the connection to use SSL

• Set the read-only passwords to each org’s database to a strong value

• If a DMZ deployment is desired, consider using a secondary K1000 for reporting purposeswith a periodic restore from the nightly backup ofthe production K1000.

• Port 3306 inbound must be opened on any firewallbetween the machine with the external reporting tooland the K1000


Utilizing History for Audit and Change Control

• Set tracking and retention policies for K1000Settings, Assets, and Objects based on whatyou are using and your local risk assessments

• Match your retention policies to your auditprocesses so that you don’t burden the K1000database with old records you’ve alreadyreviewed


Configuring User Authentication with LDAP

• Use LDAP authentication whenever possible toleverage enterprise password change policies

• LDAP configurations can be different for eachorg

• Set a strong password for the default admin account and use it only for recovery purposes

• Define a default access role with minimum privileges to be assigned to authenticated userson import

• Manually assign roles with elevated privilegesto only those users that require them

• If using Active Directory, you may considerapplying SSO with Windows credentials. Onlyone org may use SSO


Defining Authorizations with User Roles

Role Purpose Read Write Hidden

IT Admin Supports systems

management but cannot

configure the K1000

Home->Label

Asset

Inventory

Distribution

Scripting

Home-

>Search

Scripting

Security

Reporting

Service Desk

Settings

Help Desk

Admin

Supports configuration of the

K1000 service desk

Asset

Inventory

Home

Service Desk

Reporting

Distribution

Scripting

Security

Settings

Asset Manager Supports configuration of

asset types and their asset

data

Inventory

Home

Asset

Reporting

Distribution

Scripting

Security

Service Desk

Settings

Reviewer Reviews system updates and

activity but does not update

(e.g. auditor)

Reporting

Settings->History

Settings->Logs

Assets

Inventory

Distribution

Scripting

Security

Service Desk

• Use the pre-defined Admin role to authorize only those users who will function as K1000 system administrators

• Use the pre-defined User role to authorize users who will be accessing the User UI for self-service

• Define specialized roles for users who have responsibility to view or update onlycertain aspects of the K1000

• Define specialized roles for any administrators who will use K1000 adminfeatures but will not act as K1000 systemadministrators

• Import user attributes from LDAP to moreeffectively manage role assignments,create user labels, and assign assetownership


Securing Backups

• Enable the Secure Backup Files option to prevent backup files from being downloaded via HTTP/Swithout authentication

• Use FTP to retrieve backups to external storage on a nightly basis in accordance with your definedbackup schedule

• Set the FTP password in accordance with your password policies. You should use a new password created solely for this purpose rather than reusing a common FTP service password

• You should know explicitly where your last good backup is located and secure access to that backup

• Only enable Make FTP Writeable when you need to conduct a restore to your K1000 AND your backup files exceed 2 gigabytes. Once the restore is complete, disable this setting.

• Evaluate your history retention policies and make adjustments to reduce the size of your backup files if necessary.


Securing Agent Provisioning

• Enable the onboard SAMBA share only whenyou need to transfer files to or from the K1000(e.g. if you will be using K1000 agent provisioning)

• Consider using GPO scripts or any other existing distribution mechanism to deploy the agent

• KB Article 133776 describes the GPOProvisioning Tool

• If using K1000 agent provisioning, considertransferring the agent installation files to an established network share in your environmentand configuring an alternate location withinK1000 agent provisioning

• When possible, provision agents using DNShostname to ensure the appropriate endpointsare being configured with the agent


Securing Inbound Email

• Use an alternate email address defined inyour existing email services, which will bemapped to the K1000 service desk queue

• Accept email on the service desk queueonly from users that have been configuredwithin the K1000 as users of the appliance

• If possible, locate the K1000 and an MTA for your existing email services within the same subnet and with MX records in DNS definedto exchange SMTP messages between yourMTA and the K1000

• If encryption of email is desired, use the SPOP3 protocol for retrieving inbound emailfrom your existing email services


Securing Outbound Email

• Consider configuring an SMTP server withinyour existing email services to receive outbound mail from the K1000

• If possible, locate this external SMTP server in the same LAN as the K1000

• Configure an email alias for your K1000 system administrators that will receive dailystatus emails from the K1000 including notifications of any security breaches


Configuring Appliance Service Protocols

• When enabling SNMP Monitoring of the K1000,configure an SNMP community string that is specificto your environment rather than using the default‘public’ string

• There is no provision within the K1000 for configuringSNMP traps to be sent to your SNMP monitoring tool.Therefore, you can only scan the K1000 periodicallyfor SNMP information

• If you enable SNMP monitoring, open port 161 outbound on any firewall that must be traversed

• Only enable SSH when engaging with Dell KACE Technical Support or when planning periodic maintenance of your K1000. Disable it when done.


Securing the Console

• Ensure that access to the K1000 console isrestricted to K1000 system administrators only

• If a remote access technology is being used (e.g. DRAC, vSphere console, KVM), ensureaccess to the K1000 console is protected with a strong password

• .


Security Improvements in K1000 6.2 / 6.3

https://software.dell.com/docs/k

ace-k1000-systems-

management-appliance-best-

practices-for-a-secure-k1000-

deployment-technicalbrief-

15417.pdf

• Opt-in subscription service for receiving alerts and notifications from Dell KaceTechnical Support

• Introduction of Group Policy Object Agent Provisioning Tool

• Application of recommendations from third-party security audit and assessment:

• Hardening against cross-site scripting, request forgery, and SQL injection

• Improvements in Apache configuration

• Upgrades to component software

• Harden K1000 against NIST Security Technical Implementation Guidelines (STIG) for Unix/FreeBSD, Apache, and MySQL


Resources

https://software.dell.com/docs/kace-k1000-systems-

management-appliance-best-practices-for-a-secure-k1000-

deployment-technicalbrief-15417.pdf

https://mymail.dell.com/owa/redir.aspx?C=EoagLiOn3Ei7yDr0LdtulFqhIyhvzdEITaxwEQkPaSWzk506v8cOUIdRFo53i3ZZp4c5tq8ErBk.&URL=https://software.dell.com/docs/kace-k1000-systems-management-appliance-best-practices-for-a-secure-k1000-deployment-technicalbrief-15417.pdf


Thank you.


Overview of K2000 Services, Ports, and Protocols


Recommended Deployment for the K2000

locking the doors, securing the appliances

Software