HPE Community
Server Management (Insight Manager 7)
1752800 Members
5776 Online
108789 Solutions
New Discussion юеВ

how to harden login on managed system home page ?

 
Pagnotta
Frequent Advisor

тАО09-07-2004 03:15 AM

тАО09-07-2004 03:15 AM

how to harden login on managed system home page ?

Dear All,

Can anyone tell me why the login on managed systemy home page is only protected by a username password ? I was expecting to be able to set up SSL client authentication, i mean autorise only login for clients providing a trusted certificate (the administrators workstations with a trusted certificated for exemple)

Thanks for your help

Angelo
0 Kudos
7 REPLIES 7
David Claypool
Honored Contributor

тАО09-07-2004 02:17 PM

тАО09-07-2004 02:17 PM

Re: how to harden login on managed system home page ?

I'm not sure I follow your question. First, what is the agent version and the OS you are running?

The Windows and Linux management agents ("systems management home page") use SSL security with a self-signed certificate. When you connect to the agent it presents that certificate for you to continue or install it as a trusted certificate. You must then log in with a password that has been configured at installation as part of the ProLiant Support Pack. There are 3 valid users, administrator, operator and user, and the level of access to each can be specified in a .ini file.

The agents can also be configured with a trust relationship such as trust by name or trust by certificate, for use when being contacted through an application such as IM7 or HP SIM. This is used when launching a web agent interactively from IM7/HP SIM or when a transaction (e.g. software update) is performed.

There is no way to configure a trust to an interactive browser session to avoid having to log in.
0 Kudos
Pagnotta
Frequent Advisor

тАО09-07-2004 08:40 PM

тАО09-07-2004 08:40 PM

Re: how to harden login on managed system home page ?

Hi,

Yes sorry for not mentionning the OS I'm running.

It's windows server 2003 SE for the CMS (I installed Insight amnager 7) and our managed servers are Windows 2000 and 2003.

For me the agents are runnnig on the managed servers and to access them I use this kind of URL:

https://managed_server:2381
(which brings me to a page with an access to a lot of info about the system hardware and more)

Now my problem is that I can access this page without providing any SSL certificate, i mean I can access the page from a workstation (without certificate) with a basic user account (without any rights in Insight). The only think I have to provide is the username/password defined at installation time. For this operation I was expecting to be forced to use a certificate... why not ? I know that this certificate is necessary to push "drivers" or "PSP" to the managed systems through the STE (Secure Task Execution) process... why not in the former ?

Moreover, the web page discussed above is reachable without the HP Web Agent service running on the managed, I was expecting this web agent to be the web server (responding to https requests)... what is its role ?

Best Regards
Angelo
0 Kudos
Darrin Rawls
Respected Contributor

тАО09-08-2004 07:56 AM

тАО09-08-2004 07:56 AM

Re: how to harden login on managed system home page ?

Yes and No. When using IM7 or HPSIM, it uses the certificate to do single-signon to the agents so that you don't have to login and remember the login account/pwds and such.

For base functionality of the agent, the certificate is used for interaction with IM7/HPSIM and the username/password specificed at login is what gets you into the system. Coming in about the January timeframe, the agents will convert to using OS based authentication rather than those accounts.

In addition, you can setup the agents to require "2 way trust" for certs, but that doesn't affect the login directly into "2381" - only interaction with IM7/HPSIM.
0 Kudos
Darrin Rawls
Respected Contributor

тАО09-08-2004 07:58 AM

тАО09-08-2004 07:58 AM

Re: how to harden login on managed system home page ?

One thing I left out is that the Web Agent bundles the "2381 web svr" in it as does other web-enabled software (like Version Control Agent, Survey, etc.). If any of those web-enabled software pieces are running, then 2381 will be 'enabled.'

Hope that helps.
0 Kudos
Pagnotta
Frequent Advisor

тАО09-08-2004 08:35 PM

тАО09-08-2004 08:35 PM

Re: how to harden login on managed system home page ?

As far as I understand, this means that a web server is enabled on all our servers where the insight agents are installed (through PSP).

Therefore, everyone is able to access the login page, the only step befor being able to interact with the server is the username/password.

Can you tell me few things more ? What kind bad things can be done through the web console, reboot, stop some hardware, reset the array ?

And then, is there a way to strengthen the access to this page ? restrict by ip ? and so on..

An finally, what is the role of the HP Web Agent service on my windows servers ? I noticed that when it is disabled, few data if not at all is available through the web console (i mean 2381), but server states en infos are retrieved by the CMS, through SNMP ? through WMI ? through WBEM ? What data(state, hardware, software) infos is retieved by SNMP, what is got by WMI or WBEM ?

Best Regards

PS: to tell you the truth I'm a little bit afraid to keep a web console opened on all my servers...
0 Kudos
Darrin Rawls
Respected Contributor

тАО09-09-2004 06:41 AM

тАО09-09-2004 06:41 AM

Re: how to harden login on managed system home page ?

AFTER logging in successfully, in theory, you can reboot the server or change the SNMP settings. I think that is probably the worst thing you could do. The ACU program is not a service, so it isn't running all the time which is used to configure RAIDs and such.

YES! You can lock down the ability to log into the system by IP address, do IP binding to only certain NICs, etc. Rolling forward, it will only be OS Authentication, so that will be another level of protection. All web connections are done via SSL.

Yes, the web agent is the "GUI" portion to the SNMP data; if that service is not running, then you won't get the "data boxes" filled out. You will still be able to get device status and data collection from IM7/HPSIM via SNMP though. Events will still be sent to the mgmt console provided you setup trap destinations.

Today, HPSIM (not IM7) can get generic WMI data from the OS; however, the agents today rely on SNMP. In the future, that will probably change.

One thing that is probably not widely known is that we do a significant amount of security testing internally, PLUS we go to outside vendors from the "ethical hacking" community for validation of our web agents for security. For servers within the Intranet, you should feel comfortable running the agents.

For servers in the DMZ, we have a white paper in the INformation Library of HPSIM, http://www.hp.com/go/hpsim/, that talks about how to manage those servers adequately from HPSIM.

Hope this helps.
0 Kudos
Pagnotta
Frequent Advisor

тАО09-22-2004 02:56 AM

тАО09-22-2004 02:56 AM

Re: how to harden login on managed system home page ?

OK, I'm gonna look at your doc for dmz implementation and perhaps look for the new product

Thanks a lot

Angelo
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.