- Ensure a login method for the console from an independent user/password in case you have to change the backend authentication server. Most systems tend to get this right or they are coupled with AD.
- Don't assume credentials that need to be used will work the same in all places. In my environment, different active directories or even servers will have a different user/password required for connecting for vulnerability scanners.
- Allow administrators to pick an authentication source for administrative accounts. Many times, in order to meet #1, users login with only "local" credentials. That kills automated password management done by external systems.
Saturday, December 27, 2008
Credential Management Wishlist
Following up on wishlist issues associated with management consoles, credential management is one that everyone takes a different take on. Credential management is users for users logging into the management console as well as the console/system connecting to external managed resources such as workstations or servers.
Wednesday, December 17, 2008
Management Consoles I: Policy and Events
In Enterprise software, management consoles get written time and time again to solve various problems. I’ve worked on them when I was an IDS developer at Sourcefire and have used them over my career in network and security management on the user side. I also know most software folks that enter this realm haven’t dealt with actually using these products and tend to recreate bad wheels.
There’s a common set of requests that I have for the ideal management scenarios for centralized management of reporting and policy management. I end up giving this talk several times to various vendors and thought someone might be better off if I documented it ahead of time.
Policy Management
Policy management is the process of managing client configuration and pushing it out to systems. Many consoles tend to do policy role management around view policy, modify policy, distribute policies and create new policies. Many organizations need to be able to set a baseline configuration but then give system administrators free reign beyond that. Active Directory/Group Policy is a great example of designing for the edge every case such as inheritance and controlling it has been thought about. For most though, pay attention to only the computer side of GPOs and you can leave out things like loopback processing. In AD, you assign admits to a GPO and they can manage downwards but they have to (optionally) accept what was assigned above. The big GPO gotcha is there’s no “default configuration GPO” that you can reassign to get yourself out of GPO-induced messages.
Event Reporting
Presumably, your client software has messages to report such as “found virus” or “disk encrypted.” Let the same delegated authority from policy management be able to review the events and take actions on them from a single console. If I have delegated administration, trusting groups not to be able to report on each other is a critical factor is getting people to install your managed software. Don’t make me push people through setting up another server to do their own reporting and then expect the central console to get the reports. This is normally implementable as a mandatory query filter assigned to a role.
Client Identification
Make sure you can handle migrating IP addresses of clients. Microsoft WSUS ClientID is a good example of this: generate a token and identify the unique node by that token. Make sure it’s easy to change the token in case people use things like ghost that won’t alter that token.
There’s a lot of other management gotcha’s I should write about in the future such as Firewalling, Credential management, backup and recovery, and licensing.
There’s a common set of requests that I have for the ideal management scenarios for centralized management of reporting and policy management. I end up giving this talk several times to various vendors and thought someone might be better off if I documented it ahead of time.
Policy Management
Policy management is the process of managing client configuration and pushing it out to systems. Many consoles tend to do policy role management around view policy, modify policy, distribute policies and create new policies. Many organizations need to be able to set a baseline configuration but then give system administrators free reign beyond that. Active Directory/Group Policy is a great example of designing for the edge every case such as inheritance and controlling it has been thought about. For most though, pay attention to only the computer side of GPOs and you can leave out things like loopback processing. In AD, you assign admits to a GPO and they can manage downwards but they have to (optionally) accept what was assigned above. The big GPO gotcha is there’s no “default configuration GPO” that you can reassign to get yourself out of GPO-induced messages.
Event Reporting
Presumably, your client software has messages to report such as “found virus” or “disk encrypted.” Let the same delegated authority from policy management be able to review the events and take actions on them from a single console. If I have delegated administration, trusting groups not to be able to report on each other is a critical factor is getting people to install your managed software. Don’t make me push people through setting up another server to do their own reporting and then expect the central console to get the reports. This is normally implementable as a mandatory query filter assigned to a role.
Client Identification
Make sure you can handle migrating IP addresses of clients. Microsoft WSUS ClientID is a good example of this: generate a token and identify the unique node by that token. Make sure it’s easy to change the token in case people use things like ghost that won’t alter that token.
There’s a lot of other management gotcha’s I should write about in the future such as Firewalling, Credential management, backup and recovery, and licensing.
Subscribe to:
Posts (Atom)