/build/static/layout/Breadcrumb_cap_w.png
06/04/2019 102 views

Howdy,


So my question, as above, can we set a client password that is required to check in to the KACE box? Or is there some kind of private key/public key encryption authentication mechanism? What are the drawbacks of implementing this if it is possible?

If your KACE appliance is open to the internet for checking-in of your users what is there to prevent a potential malicious connection from a modified client?   


We just had an interesting situation here, where a computer that is not ours and is from another organization checked in to our KACE system.   They also use KACE, and unfortunately both our DNS records are the same which is what allowed this client to check into our system.  This system was able to run the scripts that we use and now has desktop shortcuts onto the system that are for us internally. I also do not know the extent of other things that have been modified. My counterpart at the other agency and I plan to go over and check on the system to figure out what has occurred.


Obviously I'll be changing the DNS record of our system, but was wondering if there was anything more that could be done. Thanks!


4 Comments   [ + ] Show comments

Comments

  • I'm not an expert on that sort of thing, but do either appliance have certificates in place?
    • On our environment no, I am not certain on the other environment but I would also have to guess that would be no.
  • If the two appliances were completely identical except that they had certificates in place, the certificate mismatch should prevent agent from one to talking to the other server.
    • You're talking specifically a standard SSL cert?
  • Yes, in Settings > Control Panel > Security Settings > SSL.
    • Thanks, I will add one of those.
  • this sounds really unlikely, since the agent communication uses a certificate for the box only (no matter if the webui uses SSL or not)
    OLD agents (6.4 and before) were not encrypted by default but they are not checking in anymore since 8.0 because of the changes of the agent communication.

    I suggest to contact support to check and if there is an option to make it more secure it can be done.
    A good idea would be a KAT from the "evil" system.
    You can create a script which runs on this system only and uploads a KAT. See here: https://support.quest.com/kb/263376

    In the zip there is a document how to setup the KAT so it runs on a client, collects the nessesary informations and uploads it to the KACE.
    • So you're suggesting that I run KAT to gather data on the offending machine then open a ticket with Quest/KACE support? (That was my next plan once I meet my counterpart to go investigate this system.)

      I do know the client on the machine is 7.2, our KACE server is 9.0, I don't know what the other KACE server's version is but I do know both servers share the same name. We've been using our KACE since before 6.4 is it possible that we're not encrypted by default?
      • run the KAT on this system to check what it is and really a "foreign" system or just a "lost" one.
        And open a SR with KACE for discussing the options you have.

There are no answers at this time

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

Share