Javascript must be enabled to download our products and perform other essential functions on the website.

ionicons-v5-m
ionicons-v5-j
Buy Now Download Free Trial
ionicons-v5-m
ionicons-v5-f

Security Protected Settings

There are many settings for PA Server Monitor which are available under:

HKEY_LOCAL_MACHINE\software\PAServerMonitor

There are a few settings that are important enough that some customers don't even want administrators to be able to make changes to them. For these cases, there are a few settings in:

HKEY_LOCAL_MACHINE\software\PAServerMonitor\Protected

A separate registry key is used so you can set additional access protections using the operating system to control who can change these settings. Be sure that the PA Server Monitor service can read these settings.

Settings

All settings below can be set to 1 or 0.

AllowExpiredHTTPSCertsInClient
Any time an internal HTTPS request is made (Console to the Central Server, Satellite to the Central Server, Web Page monitor, etc) a decision has to be made whether to accept a connection to an endpoint that has an expired SSL/TLS certificate. Even if it is expired, the connection is still encrypted. Setting this to 1 allows connections using expired certificates, and 0 blocks those connections. Defaults to 0.
AllowLegacyMobileAppSkip2FA
Older versions of the mobile application didn't support requesting a 2FA PIN. Set this to 1 to allow them to login without the PIN. Setting to 0 will require a PIN if 2FA is enabled for the user (see User Access). Defaults to 1.
DisableBlankLocalLogin
When the Console on the Central Monitoring Service is run, if the user is a local administrator they are able to login without a username/password. To disable this, set this value to 1. See Remote Users for defining logins. Defaults to 0.
DisablePasswordExport
When exporting configuration data, sometimes passwords can be exported as well. Setting this value to 1 will disable exporting passwords. Defaults to 0.
EnableScriptCredentialAccess
The Execute Script monitor can request configured passwords for the device the script is running for via the $mon.TargetUserName, $mon.TargetUserDomain and $mon.TargetUserPassword properties.

This can be disabled by setting this value to 0, or enabled by setting to 1. Defaults to 0.

Because of the concern of scripts exfiltrating credentials, we recommend locking monitors or actions that use the TargetUserName, TargetUserDomain or TargetUserPassword properties.
EnableScriptCredentialAccess_Custom
If this value is set to 1, the Execute Script monitor or action can request configured Custom credentials for arbitrary devices via the $mon.GetCredentials or $act.GetCredentials function. The functions will fail if this value is set to 0.

This can be disabled by setting this value to 0, or enabled by setting to 1. Defaults to 0.

Because of the concern of scripts exfiltrating credentials, we recommend locking monitors or actions that use the GetCredentials function.
EnableScriptCredentialAccess_All
If this value is set to 1, the Execute Script monitor or action can request any configured credentials for arbitrary devices via the $mon.GetCredentials or $act.GetCredentials function. The functions will fail if this value is set to 0.

This can be disabled by setting this value to 0, or enabled by setting to 1. Defaults to 0.

Because of the concern of scripts exfiltrating credentials, we recommend locking monitors or actions that use the GetCredentials function.
SNAP_AllowTunnel2
SNAP Tunnels allow tunneling a connection to a remote device across the communication link between the Central Monitoring Service and a Satellite Monitoring Service. This is useful for getting to an RDP session on a remote device. Tunnels can be disabled completely by setting this value to 0 on the Central Monitoring Service, or set it to 0 on a Satellite to disable tunnels to that specific Satellite. Defaults to 1.
SNAP_AccessUnmonDevices
When a SNAP Tunnel is created, the creating user's access is checked to confirm they have access to the device. If connecting to an unmonitored device (perhaps by creating a tunnel from the External API) set this value to 1 to disable access checks. Defaults to 0.
SNAP_AllowTunnelFromAnonAPI
The External API can create SNAP Tunnels and requires a username and password. To enable the legacy mode of not requiring credentials, set this value to 1. Defaults to 0.

PA Server Monitor

Help Map