PA File Sight Product Security

Non-Cloud

All settings, databases, network information, etc., stays on your servers. The product is not cloud-based.

Secure SSL Connections

By default, PA File Sight uses SSL/TLS secured HTTP communications between the Console, Satellites and the Central Monitoring Service. If encryption is turned off, remote connections (remote Consoles and Satellites) are not allowed.

The SSL/TLS connection can run on any port, and defaults to port 8000.

OpenSSL and Ciphers

SSL/TLS is implemented using the latest version of OpenSSL

This means notable exploits are quickly patched, including:

SWEET32
LogJam
POODLE
ChangeCipherSpec
Heartbleed

The embedded HTTPS server supports Forward Secrecy by supporting ephemeral Diffie-Hellman key exchange, depending on the encryption cipher that is negotiated between client and server.

There are two SSL/TLS security settings available which can be changed in Settings > HTTP Server Settings.

Supported Protocols

Here you can control which protocols the HTTPS server will use.

SSLv2 is not allowed, and SSLv3 is disabled by default.

Cipher Strength

Various ciphers settings are available, with the "Strongest ciphers" setting being the most robust at the time the product was released.

Cipher names and information can be found at https://www.openssl.org/docs/apps/ciphers.html

For an alternate cipher override value and discussion, see http://stackoverflow.com/questions/3775836/disable-weak-ciphers-in-ssl-connection.

Self-Signed Certificate

By default, a self-signed SSL certificate is used, but you may replace that with your own certificate using the instructions at:
www.poweradmin.com/help/latestsmhelp.aspx?page=report_other_ssl_cert.aspx

The generated self-signed SSL certificates are currently 2048 bit. The default signature algorithm is sha1RSA, signature algorithm of sha1, and the public key is RSA 2048 bits.

The self-signed certificates can be easily regenerated at any time.

HTTPS Server Limits

The internal HTTPS server is very small and light. It supports a fixed number of connections, and each connection will only upload or download a fixed amount of data. These limits are registry configurable.

Fuzzing/Scanning

For many years, a number of customers regularly fuzz test and run vulnerability scanners on our software (and other software that they run on site). Any time an issue is found it is fixed within two business days. Most of the time it has involved adding an HTTP header, such as X-XSS-Protection: 1, X-Frame-Options:SAMEORIGIN, etc. It has now been a number of years since any problems have been found, and we always welcome feedback. We recently asked a white-hat tester to look at our software and nothing was found.

Service Security

The monitoring service supports security alerts for anything that might change or affect monitoring. These are available at Settings > Security Alerts.

In addition, the monitoring service can be locked such that it cannot be stopped by the Windows Service Control Manager. This setting is at the bottom of the Settings dialog. If the service is terminated, the service is configured to automatically get restarted by the Windows Service Control Manager.

Endpoint Security

Similar to the monitoring service, the PA File Sight Endpoints can be configured to not allow stopping (this is the Lock setting). The moniotirng service can also be configured to send alerts if the Endpoint is not actively checking in.

User Credentials

There are a variety of different credentials that might be put into the system depending on monitoring needs:

Windows
ODBC Database Connection String
SMTP Server
Active Directory/LDAP
SSL Certificate Private Key

ALL of these credentials are encrypted using Microsoft's recommended method of storing credentials via the CryptProtectData function. This encrypts the credentials such that they can only be decrypted on the computer where they are stored.

The encrypted credentials are stored in the registry at:

HKEY_LOCAL_MACHINE\software\PAFileSight\Creds

Disabling Export

There are a few places in the product where the configuration can be exported to disk, with the option to export credentials. This export option can be completely disabled by setting:

HKEY_LOCAL_MACHINE\software\PAFileSight\Protected
[DWORD] DisablePasswordExport = 1

Other protected settings are discussed here: Security Protected Settings.

Database Access

By default, an embedded SQLite database is used to store data. This can be changed to store data in a MS SQL Server database. In that case, the database login needs access to create, update and delete tables and indices. It does not need access to, nor does it try to use any statements that would modify, create or delete individual databases, including the database it stores data in.

Product Logins

There are a few ways of logging in and interacting with the product:

Local Console Login - login to the Central Service from the Central Service computer using the local Console application. This does not require a password, but does require the user to be an administrator on the computer. This type of login can be disabled.
Remote Console Login - users can be added to the system, and they can login remotely using a Console on their computer. We recommend enabling 2FA (two factor authentication).
Web Login - users can login to view reports. This login can require a username and password (default). This login can also require 2FA.
Mobile Application - similar to the Web Login, this application can view status, with the additional capability of being able to put systems into maintenance mode. A login (possibly with 2FA enabled) is required.

Filter Access to Devices

All product logins tie a user to an account. Accounts can have their access filtered such that they can only access specific groups of devices, with potentially limited rights to those devices. The product uses a "never trust the client" posture, which means the backend service enforces all constraints.