Jump to content

AD integration


JeffVandervoort
 Share

Recommended Posts

I'm a big believer in principle of least permissions. AD includes several built-in levels of administrative permissions, and allows creation of many more through Delegation and Group Policy.

PC Monitor makes every user an uber-admin, because it runs as LocalSystem, one of the most powerful accounts in a system.

I'm a one-man shop at this point, but hope for big growth when I'm in production. There will come a time, possibly fairly soon, where I will no longer be able to use PC Monitor because it does not allow me to properly secure the system.

I'd like for PCM to impersonate users, and use AD to determine what they are permitted to do, which servers they're permitted to control, etc.

This is a non-trivial request, and I'm sure it will take a while to get done. Hope PCM gets there by the time I need it!

(Now, watch Marius respond, "That will be in version 3.0, next week.")

Link to comment
Share on other sites

  • Administrators

Can you please detail on "PC Monitor because it does not allow me to properly secure the system." and "PC Monitor makes every user an uber-admin"???

If a service runs as LocalSystem, does that makes every user an admin and stops you from "securing" the system? It's important to clarify this here as you are probably talking about a PC Monitor user and not a computer user.

PC Monitor allows you to authorize devices on the account and it will reject commands from devices that are not authorized - making them read-only.

As well, for Enterprise Server PC Monitor has Associated Accounts that allows you to "share" computers between accounts and set rights to read only / full access.

In your case you only have one user - and if you decide to "share" your account username/password with other users/devices then it is you that "makes every user an uber-admin". Even in this case you can use device authorization to make the other devices read only.

Link to comment
Share on other sites

"if you decide to "share" your account username/password with other users/devices then it is you that "makes every user an uber-admin"."

Exactly, Marius. You've just crystalized the problem. That's why I'd have to stop using it.

Because all PCM devices share one username & password, and the same (very elevated) privelege level.

PCM users are admins, but systems of any size restrict admins to permissions that apply to their specialties, and nothing more.

When my future (say) Exchange admin logs on and opens EMC, they can do whatever AD authorizes them to do, which will be pretty much everything Exchange-related. But as little as possible that isn't Exchange-related. The Exchange admin's responsibility probably won't include shutting down DCs or file servers, because that's someone else's responsibility. From RDP or console, they can't do anything I haven't authorized. From PCM, they can do whatever PCM can do, anywhere in the system on which they have an authorized device; even if that authorization SHOULD be limited.

But if I give them PC Monitor to help them manage Exchange, they can remotely shut down DCs or file servers or RDSH's--because LocalSystem can. Or run scheduled tasks, or open priveleged console sessions, and whatever capabilities you add going forward, and on any of them that they have access to through PCM.

And that granularity may or may not take place on the computer level. A single computer can have multiple roles administered by different personnel. AD can keep them separate. PCM can't.

With AD, they'd enter their user creds, not PCM creds. Device auth is then separated from user auth, as it is in every modern OS. And when an admins account is terminated, or permissions changed, the admins PCM access changes with it, automatically.

And there's no device auth at all for Dashboard. I'd have to personally enter credentials for all Dashboard and mobile installs in order to prevent Dashboard from being used to get around device auth. And my only recourse upon terminating an admin or discovering a security breach, would be to issue new creds on the service itself, and all PCM Dashboards, mobile devices, and Manager installs. One at a time. Yuck.

Finally, there's no "read-only" in PCM, unless I've missed it. A device either has all access or no access. Going back to my future Exchange admin, they might not be allowed to manage DCs, but they might very well want to know if they're up or posting errors. A "read-only" device account would permit that, and would be a good interim enhancement.

My inclination would be to give all admins "read-only" access to all servers, if only because if the right admin isn't watching, someone else might be, and could give them a heads-up. But, again, an AD login would make sure it happens automatically, instead of splitting off PCM settings as something different.

Some businesses may not care, and some admins may never realize PCM is giving admins LocalSystem permissions. But my business, when it reaches critical mass, after pilot, will absolutely require AD auth for admins, in order to meet its committments to its customers.

You'd certainly not be the only 3rd party to offer AD auth to augment or (usually) replace their own built-in auth. Symantec Endpoint Protection, Raritan KVMs, Cisco & OpenManage come to mind; there's certainly many others. Including, obviously, every MS server technology. What these products have in common: An acknowledgement that AD works awfully well to provide granular security for admins, and that these products can all be misused if the wrong admins (or ex-admins) have access to them.

Right now, PCM lacks that, and I'm hoping you can change that by the time I need it, because I'd really like to keep using it.

Link to comment
Share on other sites

Another scenario:

A Win 6.x file server has UAC enabled, and a shared folder has an ACL as follows:

Administrators: Full

SYSTEM: Full

DOMAIN\SomeGroup: Modify

Sysadmins are members of Local Administrators, but are NOT members of DOMAIN\SomeGroup. This is intentional. In this scenario, in order to access the folder, an admin either has to make himself a member of DOMAIN\SomeGroup, or by clicking "Click continue to gain access" when prompted. Either is an auditable security event, and Microsoft provided this functionality in UAC to protect against rogue admins.

If it becomes necessary for an admin to have access to this data in the scope of his duties, that's fine. If he has no business being in that folder, he's warned, or terminated, and possibly prosecuted.

PC Monitor Service, however, because it runs as LocalSystem, can make that sensitive data available via e-mail to any PCM user who wants it, provided that file browsing is enabled.

Remote file browsing can be very useful to admins if they're browsing folders they are responsible for maintaining, so one would want to enable it. But PC Monitor file browser makes an end-run around ACLs, and provides access to all folders on the system.

You can warn people not to enable file browsing on servers containing sensitive data all you want. But there is a security axiom that states that ALL data is sensitive when the wrong person has access to it.

And servers are dynamic. Let's say this is that one-and-only server in the world that is so free of sensitive data you could publish its shares on anonymous FTP. So file browsing is enabled on PCM. That PCM setting is going to be long forgotten when an admin sets an ACL that he believes will protect data from falling into the wrong hands when sensitive data is finally placed on it.

Again: An AD-authenticated session handles this situation automatically. The admin would have remote access to whatever they needed to do their job--and nothing beyond.

Link to comment
Share on other sites

  • Administrators

Using device authorization you can restrict certain devices from sending commands to the computers - and this applies to file browsing, terminal and screen viewing too - if a device is not authorized it won't be able to access these features. Please try it first.

Multi-user scenarios are handled by the "Associated Account" feature in the Enterprise Server - you would typically use one (or more) monitoring accounts to set up the PC Monitor on the computers then create user accounts and "share" various computers to these users as full access or read only.

Link to comment
Share on other sites

  • Administrators
Finally, there's no "read-only" in PCM, unless I've missed it. A device either has all access or no access.

There is, you can share a computer with another account in read-only mode as Marius stated in his first reply.

PCM users are admins, but systems of any size restrict admins to permissions that apply to their specialties, and nothing more.

This can be fixed with an Enterprise Server which gives you access to account management. Consider this scenario you have 3 servers all under the same uber-admin account. From that account you create a share with your account with full-access and the other two read-only access in order to get notifications. The other admins can get full access on their servers too.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...