Transcription
Best Practices for a SecureK1000 DeploymentA Dell Technical White Paper1Copyright 2013 Dell KACE. All rights reserved.
THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICALERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS ORIMPLIED WARRANTIES OF ANY KIND. 2013 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever withoutthe express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell.Dell, the DELL logo, and the DELL badge are trademarks of Dell Inc. Microsoft, Windows, WindowsServer, and Active Directory are either trademarks or registered trademarks of Microsoft Corporation inthe United States and/or other countries. Other trademarks and trade names may be used in thisdocument to refer to either the entities claiming the marks and names or their products. Dell Inc.disclaims any proprietary interest in trademarks and trade names other than its own.November 20132Copyright 2013 Dell KACE. All rights reserved.
Contents. Error! Bookmark not defined.Abstract. 5Introduction . 6Recommended Network Deployment . 9Inside the Intranet . 9Within the DMZ . 9Web . 11User Interfaces. 13Agent . 14Agent Execution . 15Securing Replication Shares . 15Web Feeds . 20Datastore . 22History . 25User Access Control . 27Authentication . 27Configuring the LDAP Protocol to Use SSL . 28Configuring LDAP Authentication in a Multiple Organization Configuration . 29Single Sign-On with Windows Credentials. 30Appliance Linking . 31Session Timeout . 31User Roles . 32Import LDAP User Attributes . 33User Labels . 36File Management . 37Managing Secure Backups of the K1000 . 37Securely Managing Agent Provisioning . 39Using a Local Share in Agent Provisioning . 42Email . 45Securing Inbound Email. 453Copyright 2013 Dell KACE. All rights reserved.
Configuring the SPOP3 Protocol . 48Configuring the SMTP Protocol . 48Securing Outbound Email . 50Administrative Email Alerts . 51Appliance Services . 55Health Monitoring . 55Enabling SNMP Monitoring of the K1000 . 55SSH Access . 56Updating the K1000 . 56Logging . 58Console . 59Network Diagnostics . 60Tether . 61Other Resources . 63Dell KACE Corporate Background . 63Dell KACE Headquarters . 634Copyright 2013 Dell KACE. All rights reserved.
AbstractThe Dell KACE K1000 System Management Appliance is designed as an easy-to-use, comprehensive, andaffordable solution to systems management. The offering tightly integrates all of the services neededto discover, inventory, assess, and manage the systems in your computing environment. Since thisoffering affords your IT administrators with a high degree of control over your computing resources, agreat deal of care has gone into designing the appliance to ensure your computing environment remainssecure.The K1000 utilizes a web interface for administrators and users to interact with the solution, and forendpoint agents to communicate with the appliance. All web communications are encrypted with upto 2048 bit encryption. Users are authenticated to the K1000 using your existing directory services,and may be authorized to perform only certain functions based on their assigned role. Extensiveauditing features are provided to ensure all administrative actions may be independently tracked.Several deployment options exist to accommodate the needs of your computing environment and usercommunity, each with security implications to consider. This whitepaper provides recommendationsfor those deployment choices as well as alternatives that may better suit your needs. Of course,implementation choices for your environment may exist that were not discussed in this white paper. Areview of your implementation plan with Dell KACE is always welcomed.Finally, please be aware that the underlying operating system and associated services of the appliancehave been hardened to eliminate potential security vulnerabilities and minimize risk. Dell KACEQuality Assurance processes continuously evaluate potential vulnerabilities in the software used todeliver the K1000 and provide resolutions to identified vulnerabilities as part of periodic updates to theappliance. As with all software offerings, diligence is required. We at Dell KACE take pride inproviding a solution that achieves unparalleled productivity gains for your IT staff while ensuring yourassets are safeguarded.5Copyright 2013 Dell KACE. All rights reserved.
IntroductionThe K1000 Systems Management Appliance provides an extensive array of options for managing clientand server machines within a network. This white paper explores how to best implement these choiceswith security in mind.The KACE approach to systems management delivers a self-contained web application appliance toprovide all of the features required to manage endpoints in a network environment. This approachoffers many advantages in simplifying the overall task of maintaining inventory of machines andsoftware, and keeping those machines and their respective software up-to-date and under control. Allof the provided features are configurable via an easy-to-use web-based administrative interface.Because of this, system administrators do not need to access the underlying operating system of theK1000 appliance to perform any administrative tasks. Restricting physical access to the appliance incombination with maintaining a secure password on the console ensures a very high level of securitywith respect to the underlying operating system. As such, this document focuses primarily on theconfiguration options available within the web administrative interfaces and the network and physicalcontrols that should be put in place to guarantee a secure deployment.The following diagram describes the network protocols that may be used within the K1000. By default,all network protocols and their associated services are disabled except for AMP and HTTP, which arethe protocols used to support the user interfaces and agent communications. You must explicitlyconfigure the K1000 to enable any additional services. The arrows indicate whether thecommunication is inbound or outbound from the K1000 (and correspondingly, will need to beconfigured as such on any firewalls in the network environment). The dotted arrows indicate theprotocols associated with optional services that need to be enabled to be used. The greyed boxes arefunctionality provided by the Dell KACE K1000 Appliance. Where only an external protocol isillustrated, it is up to the local implementation to provide the client or service that will integrate withthe given protocol when desired.6Copyright 2013 Dell KACE. All rights reserved.
Overview of K1000 Services, Ports, and ProtocolsThis document will explore each of these services and their respective configurations, and the bestpractices associated with their deployment.Web – Most communications with the K1000 are conducted utilizing this service, including the agent,the various user interfaces, and communication with external services upon which the K1000 relies.Agent – An agent is installed on computers that will be managed by the K1000. The agentcommunicates with the K1000 appliance via HTTPS and maintains a heartbeat with the appliance viathe KACE proprietary AMP protocol.Web Feeds – The K1000 obtains regular updates for patch signatures and payloads to be deployed tomanaged systems, Dell driver and firmware payloads, Dell warranty information, news and knowledgebase articles from Dell KACE Technical Support.Datastore – The K1000 records current and historical activity within an internal database, whichmay be remotely accessed in read-only mode if desired.User Access Control – There are multiple options and configuration settings to be discussedregarding authentication and authorization of users for the K1000, including integration with your localLDAP services.7Copyright 2013 Dell KACE. All rights reserved.
File Management – Most operations for file transfer with the K1000 are conducted over HTTP/S.However, there are some limitations to utilizing HTTP/S for all file transfers, and this topic exploresthose alternatives.Email – The K1000 provides an SMTP service for configuring service desk ticket queues and managinginbound service tickets, as well as managing outbound notifications to appropriate personnel when analert triggers them. Email may be transmitted inbound or outbound via the SMTP protocol.POP3/SPOP3 is supported as an option in addition to SMTP to retrieve email from corporate emailservices. While the email dataflow is inbound to the K1000 appliance when using POP3/SPOP3, theappropriate port must be opened outbound through any firewall because the email is ‘pulled’ from theexternal POP mail server (*).Appliance Services – KACE appliances are web application appliances. Customers are providedlimited console access for initial configuration and troubleshooting. Once configured, all appliancefunctionality is accessed and managed through the Web User Interface, and OS access is not needed fornormal appliance operations. Full access to the appliance operating system is reserved for KACETechnical Support and only with the approval and cooperation with customer personnel.You will see the following notation in the document that will aid in understanding your configurationoptions:This symbol indicates a configuration best practice for optimally deploying a particular serviceThis symbol indicates a “note” or reminder of the implications of a certain configuration to beconsidered as part of the service deploymentThis symbol indicates a warning or implication of a service deployment that ma
the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell. Dell, the DELL logo, . The Dell KACE K1000 System Management Appliance is designed as an easy-to-use, comprehensive, and affordable solution to systems management. The offering tightly integrates all of the services needed to discover, inventory, assess, and manage the systems in your .
