Security Best Practices for the Kace K2000 and the Remote Site Appliance (RSA) (115560)

Voltar
  • Título

    Security Best Practices for the Kace K2000 and the Remote Site Appliance (RSA)
  • Descrição

    To protect the Kace K2000 and Remote Site Appliances (as well as the data they contain) from malicious users it is important to follow the guidelines below.
  • Resolução

    Change default Passwords:

    Even if  the K2000 or the RSA is set up to use LDAP authentication, there remains one local user “admin”. This account can not be deleted so it is impactive its default password be changed right after system installation.

    To change the local admin password on the K2000 or the RSA, log in to the WebUI.
    Go to Settings & maintenance | Control Panel | Users.
    Click on the “admin” user and fill in the Password fields and then click the “save” button.

    The K2000 also has passwords for its Samba shares, its Boot Manager, and the KBE VNC Server ( if not disabled ). These should also be changed from their defaults after the system is installed.

    Note: Changing the Samba share password will also require rebuilding all the KBE's on the K2000 as the password is stored within the KBE itself and KBE's created before the password change will no longer function properly. 

    To change the K2000 default passwords go to Settings & Maintenance | Control Panel. Then scroll to the bottom of the screen and hit the “edit” button.
    Scroll up to the top and enter the password for the Samba Shares.
    Enter a password for the Boot Manager and finally enter the VNC password.
    Then scroll to the bottom and click the “save” button.


    LDAP Security:

    If using an LDAP server for authentication, ensure the LDAP server is following LDAP securities best practices.
    http://msdn.microsoft.com/en-us/library/aa913688.aspx

    Note that LDAP authentication is only used for logging into the WebUI and is not used for the K2000 Samba shares, Boot Manager, or VNC server passwords. 

    Network Security:

    It is recommended the K2000 and the RSA not use public IP addresses. Further it is recommended there be no Internet ingress to either the K2000 or the RSA. Should the Internet be required for communication between a K2000 and its RSA then both appliances should be behind a firewall which opens only ports 80, 443, and 22 between the K2000 IP address and the RSA IP address blocking all other Internet IP addresses from access.

    If Internet access to the K2000 WebUI is required, then SSL should be enabled on the K2000 and a Firewall rule set to allow only port 443 to  access the K2000 or the RSA. Even with SSL active, no other ports including port 22  on the K2000 or the RSA should be open for general Internet access, and should only be opened for specific (K2000 or RSA ) IP addresses. Keep in mind that SSL does not encrypt Samba, Boot Manager, or VNC traffic. 

    To enable tether support and driver feed access, insure the K2000 and RSA  have egress to the Internet on port 22, 80, and 443.



Feedback submitted.

Este artigo ajudou?

[Select Rating]

Thank you for your rating!

Close

Solicitar ou criar um artigo da base de conhecimento »

Produto(s):
K2000 Systems Deployment Appliance
3.6.98680, 3.6.98072, 3.6.96652, 3.5.80613, 3.5.76460, 3.5.75627, 3.4.63129, 3.4.54256, 3.4.54016

Tópico(s):
Best Practices

Histórico do artigo:
Criado em: 10/23/2013
Última atualização em: 3/3/2014