Security Protected Settings

There are many settings for PA File Sight which are available under:

There are a few settings that are important enough that some customers don't even want administrators to be able to make changes to them. For these cases, there are a few settings in:

A separate registry key is used so you can set additional access protections using the operating system to control who can change these settings. Be sure that the PA File Sight service can read these settings.

Some of these settings can be set with the "Satellites: Set Protected Configuration Values" Bulk Config operation. That will only work for a user in the local Console, which means they are a Windows administrator on the computer. Also see the note with the SatProtectedLock setting below.

Settings

All settings below can be set to 1 or 0.

AllowExpiredHTTPSCertsInClient

Any time an internal HTTPS request is made (Console to the Central Server, Satellite to the Central Server, Web Page monitor, etc) a decision has to be made whether to accept a connection to an endpoint that has an expired SSL/TLS certificate. Even if it is expired, the connection is still encrypted. Setting this to 1 allows connections using expired certificates, and 0 blocks those connections. Defaults to 0.

AllowManualSatelliteFileSync

This setting allows manual server to server file copying between the Central Server and Satellites. For a file copy to succeed, this setting has to be enabled on the Central Server and on the Satellite. This value does not automatically synchronize from the Central Server to Satellites. Services do not need to be restarted after changing this value. Defaults to 1.

AllowAutoSatelliteFileSync

This setting allows the File Synchronizer monitor to copy files between the Central Server and Satellites. For a file copy to succeed with this monitor, this setting has to be enabled on the Central Server and on the Satellite. This value does not automatically synchronize from the Central Server to Satellites. Services do not need to be restarted after changing this value. Defaults to 1.

DisableBlankLocalLogin

When the Console on the Central Monitoring Service is run, if the user is a local administrator they are able to login without a username/password (using the Local Host option). To disable this, set this value to 1. See Remote Users for defining logins. Defaults to 0.

DisablePasswordExport

When exporting configuration data, sometimes you can be prompted if credentials (username/password) should be exported as well. Setting this value to 1 will disable exporting credentials. Automatic exports (for example to the Config\Backup folder) never contain credentials. Defaults to 0.

EnableNotesAPIUsePath

The External API has a GET_NOTES and SET_NOTES commands which allows retrieving and saving computer-specific notes to and from a file. This file can be outside the product's TRANSFER folder (the default) if this setting is enabled. Defaults to 0.

SatProtectedLock

When this value is set to 1 on a Satellite computer, remotely changing the other values on this page via the "Satellites: Set Protected Configuration Values" will be blocked. This allows a remote customer/administrator to guarantee the settings on this page are not changed once they are set as desired.

SNAP_AllowTunnel2

SNAP Tunnels allow tunneling a connection to a remote device across the communication link between the Central Monitoring Service and a Satellite Monitoring Service. This is useful for getting to an RDP session on a remote device. Tunnels can be disabled completely by setting this value to 0 on the Central Monitoring Service, or set it to 0 on a Satellite to disable tunnels to that specific Satellite. Defaults to 1.

SNAP_AccessUnmonDevices

When a SNAP Tunnel is created, the creating user's access is checked to confirm they have access to the device. If connecting to an unmonitored device (perhaps by creating a tunnel from the External API) set this value to 1 to disable access checks. Defaults to 0.

SNAP_AllowTunnelFromAnonAPI

The External API can create SNAP Tunnels and requires a username and password. To enable the legacy mode of not requiring credentials, set this value to 1. Defaults to 0.