SlideShare ist ein Scribd-Unternehmen logo

Locking the Doors, Securing the Appliances

Dell World
Dell World

Learn from the experts — see how to maximize the security on your appliances: http://dell.to/1GDYpr8

Software
1 von 25
Downloaden Sie, um offline zu lesen
Dell World 2014 Locking the Doors, Securing the Appliances Bryan Brooks - Customer Success, and Kevin Gehrke – Technical Support November, 06, 2014 Dell World User Forum
Dell World User Forum Overview of K1000 Services, Ports, and Protocols • Primary communications are HTTPS traffic • Select optional protocols wisely and only when needed • Arrows indicate direction to open the port on any firewalls
Dell World User Forum Inside the Intranet • Safest approach to deployment • Consider keeping appliance service ports restricted to the data center • Window for collecting inventory and deploying digital assets, including patching, is restricted to when users are present on network
Dell World User Forum Within the DMZ • Use this deployment when serving highly mobile users • Be more diligent when opening service ports • Consider alternate methods if database access is desired
Dell World User Forum Securing Web Traffic: Securing Web Protocols • Use SSL, regardless of deployment choices • Complete SSL configuration before deploying agents • Up to 2048 Bit encryption is supported • Enable SSH during configuration in the event assistance from Dell KACE Technical Support is needed • Use a certificate from a vendor in trusted certificate vendor list or your organization’s Root CA certificate
Dell World User Forum Controlling Access with Access Control Lists • Restricts access to the UserUI, AdminUI, and SystemUI to certain ranges in the network • Restrict access to the AdminUI and SystemUI to the LAN environment where administrators will administer the K1000
Dell World User Forum Securing the Agent • Open ports 443 and 52230 outbound on any local firewall • SSL is enabled on AMP by default when SSL is configured on the server • Use SSL for the agent as well as the Uis • Restrict LocalSystem administrator rights on your endpoints
Dell World User Forum Securing Replication Shares • Ensure write access to replication shares is restricted • Configure a Destination User and Password for the replication share that is not used for other purposes • A Destination User and Password does not need to be set if the Replication Device is also the host for the replication share • Ensure that the Read-Only Download User and Password are not used for other purposes and are unique from the Destination User and Password
Dell World User Forum Replication Share Data Flow • Deployment Choices • HTTP vs file transfer • Replication Device on replication share vs. Replication Device remote from replication share
Dell World User Forum Configuring a Proxy for Web Feeds • Reference KB article 118543 for patch download URLs • For geographically load-balanced services, use the Classless Internet Domain Routing (CIDR) for whitelisting
Dell World User Forum Securing Database Access • Use the onboard reporting engine to access the database • If external database access is desired, configure the connection to use SSL • Set the read-only passwords to each org’s database to a strong value • If a DMZ deployment is desired, consider using a secondary K1000 for reporting purposes with a periodic restore from the nightly backup of the production K1000. • Port 3306 inbound must be opened on any firewall between the machine with the external reporting tool and the K1000
Dell World User Forum Utilizing History for Audit and Change Control • Set tracking and retention policies for K1000 Settings, Assets, and Objects based on what you are using and your local risk assessments • Match your retention policies to your audit processes so that you don’t burden the K1000 database with old records you’ve already reviewed
Dell World User Forum Configuring User Authentication with LDAP • Use LDAP authentication whenever possible to leverage enterprise password change policies • LDAP configurations can be different for each org • Set a strong password for the default admin account and use it only for recovery purposes • Define a default access role with minimum privileges to be assigned to authenticated users on import • Manually assign roles with elevated privileges to only those users that require them • If using Active Directory, you may consider applying SSO with Windows credentials. Only one org may use SSO
Dell World User Forum Defining Authorizations with User Roles Role Purpose Read Write Hidden IT Admin Supports systems management but cannot configure the K1000 Home->Label Asset Inventory Distribution Scripting Home- >Search Scripting Security Reporting Service Desk Settings Help Desk Admin Supports configuration of the K1000 service desk Asset Inventory Home Service Desk Reporting Distribution Scripting Security Settings Asset Manager Supports configuration of asset types and their asset data Inventory Home Asset Reporting Distribution Scripting Security Service Desk Settings Reviewer Reviews system updates and activity but does not update (e.g. auditor) Reporting Settings->History Settings->Logs Assets Inventory Distribution Scripting Security Service Desk • Use the pre-defined Admin role to authorize only those users who will function as K1000 system administrators • Use the pre-defined User role to authorize users who will be accessing the User UI for self-service • Define specialized roles for users who have responsibility to view or update only certain aspects of the K1000 • Define specialized roles for any administrators who will use K1000 admin features but will not act as K1000 system administrators • Import user attributes from LDAP to more effectively manage role assignments, create user labels, and assign asset ownership
Dell World User Forum Securing Backups • Enable the Secure Backup Files option to prevent backup files from being downloaded via HTTP/S without authentication • Use FTP to retrieve backups to external storage on a nightly basis in accordance with your defined backup schedule • Set the FTP password in accordance with your password policies. You should use a new password created solely for this purpose rather than reusing a common FTP service password • You should know explicitly where your last good backup is located and secure access to that backup • Only enable Make FTP Writeable when you need to conduct a restore to your K1000 AND your backup files exceed 2 gigabytes. Once the restore is complete, disable this setting. • Evaluate your history retention policies and make adjustments to reduce the size of your backup files if necessary.
Dell World User Forum Securing Agent Provisioning • Enable the onboard SAMBA share only when you need to transfer files to or from the K1000 (e.g. if you will be using K1000 agent provisioning) • Consider using GPO scripts or any other existing distribution mechanism to deploy the agent • KB Article 133776 describes the GPO Provisioning Tool • If using K1000 agent provisioning, consider transferring the agent installation files to an established network share in your environment and configuring an alternate location within K1000 agent provisioning • When possible, provision agents using DNS hostname to ensure the appropriate endpoints are being configured with the agent
Dell World User Forum Securing Inbound Email • Use an alternate email address defined in your existing email services, which will be mapped to the K1000 service desk queue • Accept email on the service desk queue only from users that have been configured within the K1000 as users of the appliance • If possible, locate the K1000 and an MTA for your existing email services within the same subnet and with MX records in DNS defined to exchange SMTP messages between your MTA and the K1000 • If encryption of email is desired, use the SPOP3 protocol for retrieving inbound email from your existing email services
Dell World User Forum Securing Outbound Email • Consider configuring an SMTP server within your existing email services to receive outbound mail from the K1000 • If possible, locate this external SMTP server in the same LAN as the K1000 • Configure an email alias for your K1000 system administrators that will receive daily status emails from the K1000 including notifications of any security breaches
Dell World User Forum Configuring Appliance Service Protocols • When enabling SNMP Monitoring of the K1000, configure an SNMP community string that is specific to your environment rather than using the default ‘public’ string • There is no provision within the K1000 for configuring SNMP traps to be sent to your SNMP monitoring tool. Therefore, you can only scan the K1000 periodically for SNMP information • If you enable SNMP monitoring, open port 161 outbound on any firewall that must be traversed • Only enable SSH when engaging with Dell KACE Technical Support or when planning periodic maintenance of your K1000. Disable it when done.
Dell World User Forum Securing the Console • Ensure that access to the K1000 console is restricted to K1000 system administrators only • If a remote access technology is being used (e.g. DRAC, vSphere console, KVM), ensure access to the K1000 console is protected with a strong password • .
Dell World User Forum Security Improvements in K1000 6.2 / 6.3 https://software.dell.com/docs/k ace-k1000-systems- management-appliance-best- practices-for-a-secure-k1000- deployment-technicalbrief- 15417.pdf • Opt-in subscription service for receiving alerts and notifications from Dell Kace Technical Support • Introduction of Group Policy Object Agent Provisioning Tool • Application of recommendations from third-party security audit and assessment: • Hardening against cross-site scripting, request forgery, and SQL injection • Improvements in Apache configuration • Upgrades to component software • Harden K1000 against NIST Security Technical Implementation Guidelines (STIG) for Unix/FreeBSD, Apache, and MySQL
Dell World User Forum Resources https://software.dell.com/docs/kace-k1000-systems- management-appliance-best-practices-for-a-secure-k1000- deployment-technicalbrief-15417.pdf
Dell World User Forum Thank you.
Dell World User Forum Overview of K2000 Services, Ports, and Protocols
Dell World User Forum Recommended Deployment for the K2000

Empfohlen

MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
Computer Networking
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
Computer Networking
 
MCSA 70-412 Chapter 09
MCSA 70-412 Chapter 09MCSA 70-412 Chapter 09
MCSA 70-412 Chapter 09
Computer Networking
 
Security best practices for informix
Security best practices for informixSecurity best practices for informix
Security best practices for informix
IBM_Info_Management
 
Microsoft Offical Course 20410C_08
Microsoft Offical Course 20410C_08Microsoft Offical Course 20410C_08
Microsoft Offical Course 20410C_08
gameaxt
 
Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06
gameaxt
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
Computer Networking
 

Empfohlen

MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04MCSA 70-412 Chapter 04
MCSA 70-412 Chapter 04
Computer Networking
 
MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01MCSA 70-412 Chapter 01
MCSA 70-412 Chapter 01
Computer Networking
 
MCSA 70-412 Chapter 09
MCSA 70-412 Chapter 09MCSA 70-412 Chapter 09
MCSA 70-412 Chapter 09
Computer Networking
 
Security best practices for informix
Security best practices for informixSecurity best practices for informix
Security best practices for informix
IBM_Info_Management
 
Microsoft Offical Course 20410C_08
Microsoft Offical Course 20410C_08Microsoft Offical Course 20410C_08
Microsoft Offical Course 20410C_08
gameaxt
 
Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06Microsoft Offical Course 20410C_06
Microsoft Offical Course 20410C_06
gameaxt
 
IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive IBM Spectrum Scale Authentication For Object - Deep Dive
IBM Spectrum Scale Authentication For Object - Deep Dive
Smita Raut
 
MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06MCSA 70-412 Chapter 06
MCSA 70-412 Chapter 06
Computer Networking
 
6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
Bibekananada Jena
 
Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6
Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6
Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6
Lee Bushen
 
MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07 MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07
Computer Networking
 
MCSA 70-412 Chapter 10
MCSA 70-412 Chapter 10MCSA 70-412 Chapter 10
MCSA 70-412 Chapter 10
Computer Networking
 
Zimbra Single Server Cluster Installation Guide
Zimbra Single Server Cluster Installation GuideZimbra Single Server Cluster Installation Guide
Zimbra Single Server Cluster Installation Guide
gerd moser
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
gameaxt
 
MCSA 70-412 Chapter 02
MCSA 70-412 Chapter 02MCSA 70-412 Chapter 02
MCSA 70-412 Chapter 02
Computer Networking
 
MCSA 70-412 Chapter 11
MCSA 70-412 Chapter 11MCSA 70-412 Chapter 11
MCSA 70-412 Chapter 11
Computer Networking
 
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
Mạnh Nguyễn Văn
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
gameaxt
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 Overview
Steven Wilder
 
Troubleshooting Provisioning Services Target Boot Processes
Troubleshooting Provisioning Services Target Boot ProcessesTroubleshooting Provisioning Services Target Boot Processes
Troubleshooting Provisioning Services Target Boot Processes
David McGeough
 
Migrating from XenApp 4.5 and 5 to XenApp 6.5
Migrating from XenApp 4.5 and 5 to XenApp 6.5Migrating from XenApp 4.5 and 5 to XenApp 6.5
Migrating from XenApp 4.5 and 5 to XenApp 6.5
David McGeough
 
TechTalkThai-CiscoHyperFlex
TechTalkThai-CiscoHyperFlexTechTalkThai-CiscoHyperFlex
TechTalkThai-CiscoHyperFlex
Jarut Nakaramaleerat
 
What's new in XenDesktop and XenApp
What's new in XenDesktop and XenAppWhat's new in XenDesktop and XenApp
What's new in XenDesktop and XenApp
Citrix
 
Whats new in Citrix XenApp 6
Whats new in Citrix XenApp 6Whats new in Citrix XenApp 6
Whats new in Citrix XenApp 6
gadi_fe
 
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVA
 
Windows Server 2008 R2
Windows Server 2008 R2Windows Server 2008 R2
Windows Server 2008 R2
Rishu Mehra
 
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Principled Technologies
 
Presentation basic administration for citrix xen app 6
Presentation basic administration for citrix xen app 6Presentation basic administration for citrix xen app 6
Presentation basic administration for citrix xen app 6
xKinAnx
 
Dell_KACE_User_Profile
Dell_KACE_User_ProfileDell_KACE_User_Profile
Dell_KACE_User_Profile
Nancy Shepard
 
Segmentación de Mercado en Facebook
Segmentación de Mercado en FacebookSegmentación de Mercado en Facebook
Segmentación de Mercado en Facebook
Arturo Om
 

Weitere ähnliche Inhalte

Was ist angesagt?

6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
Bibekananada Jena
 
Zimbra Single Server Cluster Installation Guide
Zimbra Single Server Cluster Installation GuideZimbra Single Server Cluster Installation Guide
Zimbra Single Server Cluster Installation Guide
gerd moser
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
gameaxt
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
gameaxt
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 Overview
Steven Wilder
 
Whats new in Citrix XenApp 6
Whats new in Citrix XenApp 6Whats new in Citrix XenApp 6
Whats new in Citrix XenApp 6
gadi_fe
 
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVA
 
Windows Server 2008 R2
Windows Server 2008 R2Windows Server 2008 R2
Windows Server 2008 R2
Rishu Mehra
 
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Principled Technologies
 

Was ist angesagt? (20)

6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
 
Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6
Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6
Citrix Master Class - Live Upgrade from XenApp 6.5 to 7.6
 
MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07 MCSA 70-412 Chapter 07
MCSA 70-412 Chapter 07
 
MCSA 70-412 Chapter 10
MCSA 70-412 Chapter 10MCSA 70-412 Chapter 10
MCSA 70-412 Chapter 10
 
Zimbra Single Server Cluster Installation Guide
Zimbra Single Server Cluster Installation GuideZimbra Single Server Cluster Installation Guide
Zimbra Single Server Cluster Installation Guide
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
 
MCSA 70-412 Chapter 02
MCSA 70-412 Chapter 02MCSA 70-412 Chapter 02
MCSA 70-412 Chapter 02
 
MCSA 70-412 Chapter 11
MCSA 70-412 Chapter 11MCSA 70-412 Chapter 11
MCSA 70-412 Chapter 11
 
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
[Bind DNS + Zimbra + SpamAssassin] Antispam Installation Guide
 
Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05Microsoft Offical Course 20410C_05
Microsoft Offical Course 20410C_05
 
Windows Server 2008 R2 Overview
Windows Server 2008 R2 OverviewWindows Server 2008 R2 Overview
Windows Server 2008 R2 Overview
 
Troubleshooting Provisioning Services Target Boot Processes
Troubleshooting Provisioning Services Target Boot ProcessesTroubleshooting Provisioning Services Target Boot Processes
Troubleshooting Provisioning Services Target Boot Processes
 
Migrating from XenApp 4.5 and 5 to XenApp 6.5
Migrating from XenApp 4.5 and 5 to XenApp 6.5Migrating from XenApp 4.5 and 5 to XenApp 6.5
Migrating from XenApp 4.5 and 5 to XenApp 6.5
 
TechTalkThai-CiscoHyperFlex
TechTalkThai-CiscoHyperFlexTechTalkThai-CiscoHyperFlex
TechTalkThai-CiscoHyperFlex
 
What's new in XenDesktop and XenApp
What's new in XenDesktop and XenAppWhat's new in XenDesktop and XenApp
What's new in XenDesktop and XenApp
 
Whats new in Citrix XenApp 6
Whats new in Citrix XenApp 6Whats new in Citrix XenApp 6
Whats new in Citrix XenApp 6
 
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and FutureGWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
GWAVACon 2013: Novell Open Enterprise Server - Roadmap and Future
 
Windows Server 2008 R2
Windows Server 2008 R2Windows Server 2008 R2
Windows Server 2008 R2
 
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
Simplifying systems management with Dell OpenManage on 13G Dell PowerEdge ser...
 
Presentation basic administration for citrix xen app 6
Presentation basic administration for citrix xen app 6Presentation basic administration for citrix xen app 6
Presentation basic administration for citrix xen app 6
 

Andere mochten auch

Dell_KACE_User_Profile
Dell_KACE_User_ProfileDell_KACE_User_Profile
Dell_KACE_User_Profile
Nancy Shepard
 
Segmentación de Mercado en Facebook
Segmentación de Mercado en FacebookSegmentación de Mercado en Facebook
Segmentación de Mercado en Facebook
Arturo Om
 
11. segmentación del mercado facebook
11. segmentación del mercado facebook11. segmentación del mercado facebook
11. segmentación del mercado facebook
AreLo Oh
 
April vaction
April vactionApril vaction
April vaction
Ldugre
 

Andere mochten auch (10)

Dell_KACE_User_Profile
Dell_KACE_User_ProfileDell_KACE_User_Profile
Dell_KACE_User_Profile
 
Segmentación de Mercado en Facebook
Segmentación de Mercado en FacebookSegmentación de Mercado en Facebook
Segmentación de Mercado en Facebook
 
Tarea 11.1
Tarea 11.1Tarea 11.1
Tarea 11.1
 
Ch06 system administration
Ch06 system administration Ch06 system administration
Ch06 system administration
 
11. segmentación del mercado facebook
11. segmentación del mercado facebook11. segmentación del mercado facebook
11. segmentación del mercado facebook
 
Segmentacion de facebook
Segmentacion de facebookSegmentacion de facebook
Segmentacion de facebook
 
Optimizing K2000 Workflow
Optimizing K2000 WorkflowOptimizing K2000 Workflow
Optimizing K2000 Workflow
 
K2000 Keeping Your Deployments Up-to-Date
K2000 Keeping Your Deployments Up-to-DateK2000 Keeping Your Deployments Up-to-Date
K2000 Keeping Your Deployments Up-to-Date
 
April vaction
April vactionApril vaction
April vaction
 
K2000 Scripted Installations
K2000 Scripted InstallationsK2000 Scripted Installations
K2000 Scripted Installations
 

Ähnlich wie Locking the Doors, Securing the Appliances

pdf to ppt window configuration .pptx
pdf to ppt window configuration .pptxpdf to ppt window configuration .pptx
pdf to ppt window configuration .pptx
TadeseBeyene
 
window configuration & Administration.pptx
window configuration & Administration.pptxwindow configuration & Administration.pptx
window configuration & Administration.pptx
TadeseBeyene
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Andrejs Prokopjevs
 
CSD-2881 - Achieving System Production Readiness for IBM PureApplication System
CSD-2881 - Achieving System Production Readiness for IBM PureApplication SystemCSD-2881 - Achieving System Production Readiness for IBM PureApplication System
CSD-2881 - Achieving System Production Readiness for IBM PureApplication System
Hendrik van Run
 

Ähnlich wie Locking the Doors, Securing the Appliances (20)

Presentation database security enhancements with oracle
Presentation database security enhancements with oraclePresentation database security enhancements with oracle
Presentation database security enhancements with oracle
 
pdf to ppt window configuration .pptx
pdf to ppt window configuration .pptxpdf to ppt window configuration .pptx
pdf to ppt window configuration .pptx
 
window configuration & Administration.pptx
window configuration & Administration.pptxwindow configuration & Administration.pptx
window configuration & Administration.pptx
 
Configuring and administrate server
Configuring and administrate serverConfiguring and administrate server
Configuring and administrate server
 
Null talk
Null talkNull talk
Null talk
 
Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)Copy of learn_the_art_of_firewall_security(1)
Copy of learn_the_art_of_firewall_security(1)
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
Best Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIXBest Practices for Deploying Enterprise Applications on UNIX
Best Practices for Deploying Enterprise Applications on UNIX
 
2014-09-15 cloud platform master class
2014-09-15 cloud platform master class2014-09-15 cloud platform master class
2014-09-15 cloud platform master class
 
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
Evénement Docker Paris: Anticipez les nouveaux business model et réduisez vos...
 
Troubleshooting K1000
Troubleshooting K1000Troubleshooting K1000
Troubleshooting K1000
 
itft_system admin
itft_system adminitft_system admin
itft_system admin
 
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
CCNA (R & S) Module 03 - Routing & Switching Essentials - Chapter 10
 
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
Security of Oracle EBS - How I can Protect my System (UKOUG APPS 18 edition)
 
1 introduction to windows server 2016
1 introduction to windows server 20161 introduction to windows server 2016
1 introduction to windows server 2016
 
CSD-2881 - Achieving System Production Readiness for IBM PureApplication System
CSD-2881 - Achieving System Production Readiness for IBM PureApplication SystemCSD-2881 - Achieving System Production Readiness for IBM PureApplication System
CSD-2881 - Achieving System Production Readiness for IBM PureApplication System
 
F5 TMOS v13.0
F5 TMOS v13.0F5 TMOS v13.0
F5 TMOS v13.0
 
Windows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementWindows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server Management
 
Chapter Two.pptx
Chapter Two.pptxChapter Two.pptx
Chapter Two.pptx
 
Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People Demystifying SharePoint Infrastructure – for NON-IT People
Demystifying SharePoint Infrastructure – for NON-IT People
 

Mehr von Dell World

Channel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software SolutionsChannel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software Solutions
Dell World
 
NVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about TimeNVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about Time
Dell World
 

Mehr von Dell World (20)

Dell Data Center Networking Overview
Dell Data Center Networking OverviewDell Data Center Networking Overview
Dell Data Center Networking Overview
 
Dell Storage Management
Dell Storage ManagementDell Storage Management
Dell Storage Management
 
Dell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions LabDell Networking Wired, Wireless and Security Solutions Lab
Dell Networking Wired, Wireless and Security Solutions Lab
 
2020 Vision For Your Network
2020 Vision For Your Network2020 Vision For Your Network
2020 Vision For Your Network
 
Dell Cloud Manager Overview
Dell Cloud Manager OverviewDell Cloud Manager Overview
Dell Cloud Manager Overview
 
Dell PowerEdge Zero Touch Provisioning
Dell PowerEdge Zero Touch ProvisioningDell PowerEdge Zero Touch Provisioning
Dell PowerEdge Zero Touch Provisioning
 
Simplifying Systems Management
Simplifying Systems ManagementSimplifying Systems Management
Simplifying Systems Management
 
Channel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software SolutionsChannel Partners: Lead with Dell Software Solutions
Channel Partners: Lead with Dell Software Solutions
 
Innovating Teaching & Learning: Next Generation Student Access Model
Innovating Teaching & Learning: Next Generation Student Access ModelInnovating Teaching & Learning: Next Generation Student Access Model
Innovating Teaching & Learning: Next Generation Student Access Model
 
Executing on the promise of the Internet of Things (IoT)
Executing on the promise of the Internet of Things (IoT)Executing on the promise of the Internet of Things (IoT)
Executing on the promise of the Internet of Things (IoT)
 
Focus on business, not backups
Focus on business, not backupsFocus on business, not backups
Focus on business, not backups
 
NVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about TimeNVMe PCIe and TLC V-NAND It’s about Time
NVMe PCIe and TLC V-NAND It’s about Time
 
Key Security Insights: Examining 2014 to predict emerging threats
Key Security Insights: Examining 2014 to predict emerging threats Key Security Insights: Examining 2014 to predict emerging threats
Key Security Insights: Examining 2014 to predict emerging threats
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...
 
Client Security Strategies To Defeat Advanced Threats
Client Security Strategies To Defeat Advanced ThreatsClient Security Strategies To Defeat Advanced Threats
Client Security Strategies To Defeat Advanced Threats
 
What a data-centric strategy gives you that others do not
What a data-centric strategy gives you that others do notWhat a data-centric strategy gives you that others do not
What a data-centric strategy gives you that others do not
 
Cloud: To Build or Buy - Can You Justify On-Premises IT?
Cloud: To Build or Buy - Can You Justify On-Premises IT?Cloud: To Build or Buy - Can You Justify On-Premises IT?
Cloud: To Build or Buy - Can You Justify On-Premises IT?
 
Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption Cloud security: Accelerating cloud adoption
Cloud security: Accelerating cloud adoption
 
Detecting advanced and evasive threats on the network
Detecting advanced and evasive threats on the networkDetecting advanced and evasive threats on the network
Detecting advanced and evasive threats on the network
 
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
So You Need To Build A Private Cloud. What Now? Best Practices For Building Y...
 

Kürzlich hochgeladen

Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
Maxim Salnikov
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Marc Lester
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
Inflectra
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
Natan Silnitsky
 

Kürzlich hochgeladen (20)

The Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test AutomationThe Strategic Impact of Buying vs Building in Test Automation
The Strategic Impact of Buying vs Building in Test Automation
 
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
Abortion Pill Prices Germiston ](+27832195400*)[ 🏥 Women's Abortion Clinic in...
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
 
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with GraphGraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
GraphSummit Milan & Stockholm - Neo4j: The Art of the Possible with Graph
 
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit MilanWorkshop - Architecting Innovative Graph Applications- GraphSummit Milan
Workshop - Architecting Innovative Graph Applications- GraphSummit Milan
 
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
Abortion Pill Prices Jane Furse ](+27832195400*)[ 🏥 Women's Abortion Clinic i...
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
Navigation in flutter – how to add stack, tab, and drawer navigators to your ...
 
Jax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined DeckJax, FL Admin Community Group 05.14.2024 Combined Deck
Jax, FL Admin Community Group 05.14.2024 Combined Deck
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
A Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdfA Deep Dive into Secure Product Development Frameworks.pdf
A Deep Dive into Secure Product Development Frameworks.pdf
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
Transformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with LinksTransformer Neural Network Use Cases with Links
Transformer Neural Network Use Cases with Links
 

Locking the Doors, Securing the Appliances

  • 1. Dell World 2014 Locking the Doors, Securing the Appliances Bryan Brooks - Customer Success, and Kevin Gehrke – Technical Support November, 06, 2014 Dell World User Forum
  • 2. Dell World User Forum Overview of K1000 Services, Ports, and Protocols • Primary communications are HTTPS traffic • Select optional protocols wisely and only when needed • Arrows indicate direction to open the port on any firewalls
  • 3. Dell World User Forum Inside the Intranet • Safest approach to deployment • Consider keeping appliance service ports restricted to the data center • Window for collecting inventory and deploying digital assets, including patching, is restricted to when users are present on network
  • 4. Dell World User Forum Within the DMZ • Use this deployment when serving highly mobile users • Be more diligent when opening service ports • Consider alternate methods if database access is desired
  • 5. Dell World User Forum Securing Web Traffic: Securing Web Protocols • Use SSL, regardless of deployment choices • Complete SSL configuration before deploying agents • Up to 2048 Bit encryption is supported • Enable SSH during configuration in the event assistance from Dell KACE Technical Support is needed • Use a certificate from a vendor in trusted certificate vendor list or your organization’s Root CA certificate
  • 6. Dell World User Forum Controlling Access with Access Control Lists • Restricts access to the UserUI, AdminUI, and SystemUI to certain ranges in the network • Restrict access to the AdminUI and SystemUI to the LAN environment where administrators will administer the K1000
  • 7. Dell World User Forum Securing the Agent • Open ports 443 and 52230 outbound on any local firewall • SSL is enabled on AMP by default when SSL is configured on the server • Use SSL for the agent as well as the Uis • Restrict LocalSystem administrator rights on your endpoints
  • 8. Dell World User Forum Securing Replication Shares • Ensure write access to replication shares is restricted • Configure a Destination User and Password for the replication share that is not used for other purposes • A Destination User and Password does not need to be set if the Replication Device is also the host for the replication share • Ensure that the Read-Only Download User and Password are not used for other purposes and are unique from the Destination User and Password
  • 9. Dell World User Forum Replication Share Data Flow • Deployment Choices • HTTP vs file transfer • Replication Device on replication share vs. Replication Device remote from replication share
  • 10. Dell World User Forum Configuring a Proxy for Web Feeds • Reference KB article 118543 for patch download URLs • For geographically load-balanced services, use the Classless Internet Domain Routing (CIDR) for whitelisting
  • 11. Dell World User Forum Securing Database Access • Use the onboard reporting engine to access the database • If external database access is desired, configure the connection to use SSL • Set the read-only passwords to each org’s database to a strong value • If a DMZ deployment is desired, consider using a secondary K1000 for reporting purposes with a periodic restore from the nightly backup of the production K1000. • Port 3306 inbound must be opened on any firewall between the machine with the external reporting tool and the K1000
  • 12. Dell World User Forum Utilizing History for Audit and Change Control • Set tracking and retention policies for K1000 Settings, Assets, and Objects based on what you are using and your local risk assessments • Match your retention policies to your audit processes so that you don’t burden the K1000 database with old records you’ve already reviewed
  • 13. Dell World User Forum Configuring User Authentication with LDAP • Use LDAP authentication whenever possible to leverage enterprise password change policies • LDAP configurations can be different for each org • Set a strong password for the default admin account and use it only for recovery purposes • Define a default access role with minimum privileges to be assigned to authenticated users on import • Manually assign roles with elevated privileges to only those users that require them • If using Active Directory, you may consider applying SSO with Windows credentials. Only one org may use SSO
  • 14. Dell World User Forum Defining Authorizations with User Roles Role Purpose Read Write Hidden IT Admin Supports systems management but cannot configure the K1000 Home->Label Asset Inventory Distribution Scripting Home- >Search Scripting Security Reporting Service Desk Settings Help Desk Admin Supports configuration of the K1000 service desk Asset Inventory Home Service Desk Reporting Distribution Scripting Security Settings Asset Manager Supports configuration of asset types and their asset data Inventory Home Asset Reporting Distribution Scripting Security Service Desk Settings Reviewer Reviews system updates and activity but does not update (e.g. auditor) Reporting Settings->History Settings->Logs Assets Inventory Distribution Scripting Security Service Desk • Use the pre-defined Admin role to authorize only those users who will function as K1000 system administrators • Use the pre-defined User role to authorize users who will be accessing the User UI for self-service • Define specialized roles for users who have responsibility to view or update only certain aspects of the K1000 • Define specialized roles for any administrators who will use K1000 admin features but will not act as K1000 system administrators • Import user attributes from LDAP to more effectively manage role assignments, create user labels, and assign asset ownership
  • 15. Dell World User Forum Securing Backups • Enable the Secure Backup Files option to prevent backup files from being downloaded via HTTP/S without authentication • Use FTP to retrieve backups to external storage on a nightly basis in accordance with your defined backup schedule • Set the FTP password in accordance with your password policies. You should use a new password created solely for this purpose rather than reusing a common FTP service password • You should know explicitly where your last good backup is located and secure access to that backup • Only enable Make FTP Writeable when you need to conduct a restore to your K1000 AND your backup files exceed 2 gigabytes. Once the restore is complete, disable this setting. • Evaluate your history retention policies and make adjustments to reduce the size of your backup files if necessary.
  • 16. Dell World User Forum Securing Agent Provisioning • Enable the onboard SAMBA share only when you need to transfer files to or from the K1000 (e.g. if you will be using K1000 agent provisioning) • Consider using GPO scripts or any other existing distribution mechanism to deploy the agent • KB Article 133776 describes the GPO Provisioning Tool • If using K1000 agent provisioning, consider transferring the agent installation files to an established network share in your environment and configuring an alternate location within K1000 agent provisioning • When possible, provision agents using DNS hostname to ensure the appropriate endpoints are being configured with the agent
  • 17. Dell World User Forum Securing Inbound Email • Use an alternate email address defined in your existing email services, which will be mapped to the K1000 service desk queue • Accept email on the service desk queue only from users that have been configured within the K1000 as users of the appliance • If possible, locate the K1000 and an MTA for your existing email services within the same subnet and with MX records in DNS defined to exchange SMTP messages between your MTA and the K1000 • If encryption of email is desired, use the SPOP3 protocol for retrieving inbound email from your existing email services
  • 18. Dell World User Forum Securing Outbound Email • Consider configuring an SMTP server within your existing email services to receive outbound mail from the K1000 • If possible, locate this external SMTP server in the same LAN as the K1000 • Configure an email alias for your K1000 system administrators that will receive daily status emails from the K1000 including notifications of any security breaches
  • 19. Dell World User Forum Configuring Appliance Service Protocols • When enabling SNMP Monitoring of the K1000, configure an SNMP community string that is specific to your environment rather than using the default ‘public’ string • There is no provision within the K1000 for configuring SNMP traps to be sent to your SNMP monitoring tool. Therefore, you can only scan the K1000 periodically for SNMP information • If you enable SNMP monitoring, open port 161 outbound on any firewall that must be traversed • Only enable SSH when engaging with Dell KACE Technical Support or when planning periodic maintenance of your K1000. Disable it when done.
  • 20. Dell World User Forum Securing the Console • Ensure that access to the K1000 console is restricted to K1000 system administrators only • If a remote access technology is being used (e.g. DRAC, vSphere console, KVM), ensure access to the K1000 console is protected with a strong password • .
  • 21. Dell World User Forum Security Improvements in K1000 6.2 / 6.3 https://software.dell.com/docs/k ace-k1000-systems- management-appliance-best- practices-for-a-secure-k1000- deployment-technicalbrief- 15417.pdf • Opt-in subscription service for receiving alerts and notifications from Dell Kace Technical Support • Introduction of Group Policy Object Agent Provisioning Tool • Application of recommendations from third-party security audit and assessment: • Hardening against cross-site scripting, request forgery, and SQL injection • Improvements in Apache configuration • Upgrades to component software • Harden K1000 against NIST Security Technical Implementation Guidelines (STIG) for Unix/FreeBSD, Apache, and MySQL
  • 22. Dell World User Forum Resources https://software.dell.com/docs/kace-k1000-systems- management-appliance-best-practices-for-a-secure-k1000- deployment-technicalbrief-15417.pdf
  • 23. Dell World User Forum Thank you.
  • 24. Dell World User Forum Overview of K2000 Services, Ports, and Protocols
  • 25. Dell World User Forum Recommended Deployment for the K2000