PA Server Monitor Product Security

Secure SSL Connections

By default, PA Server Monitor uses SSL secured HTTP communications between the Console, Satellites and the Central Monitoring Service. If SSL is turned off, remote connections (remote Consoles and Satellites) are not allowed.

The SSL connection can run on any port, and defaults to port 81.

OpenSSL and Ciphers

SSL is implemented using OpenSSL version 1.0.1g (as of this writing - May 2014). 1.0.1g is the version that was released to fix the Heartbleed bug.

The embedded HTTPS server supports Forward Secrecy by supporting ephemeral Diffie-Hellman key exchange, depending on the encryption cipher that is negotiated between client and server.

There are two SSL security settings available which can be changed in Settings -> HTTP Server Settings.


Normal (default) Security

The Normal setting works with most devices and operating systems, including IE 6, Windows XP and Windows 2003.

The cipher suite command sent to OpenSSL is:

ALL:!ADH:!LOW:!EXP:!MD5:!eNULL:!aNULL:@STRENGTH

SSLv2 is not allowed, but SSLv3 and TLS are allowed.

High Security

The High setting uses ciphers that enable Forward Secrecy, and disables the SSLv3 protocol so only TLS (1.0 and higher) can be used. This works with most modern browsers and operating systems.

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

This is based on advice from https://cipherli.st/

SSLv2 and SSLv3 are not allowed. Only TLS connections are supported.

Windows XP and Windows 2003 will not be able to connect to a Central Monitoring Service, a Satellite, or a Fail Over Server that is using the High setting. The Inventory Collector monitor might also fail to run for XP/2003 servers as it sometimes needs to connect to the Central Monitoring Service from a monitored server.


Cipher names and information can be found at http://www.openssl.org/docs/apps/ciphers.html

For an alternate cipher override value and discussion, see http://stackoverflow.com/questions/3775836/disable-weak-ciphers-in-ssl-connection.

Self-Signed Certificate

By default, a self-signed SSL certificate is used, but you may replace that with your own certificate using the instructions at:
www.poweradmin.com/help/latestsmhelp.aspx?page=report_other_ssl_cert.aspx

The generated self-signed SSL certificates are currently 2048 bit. The default signature algorithm is sha1RSA, signature algorithm of sha1, and the public key is RSA 2048 bits.

The self-signed certificates can be easily regenerated at any time.

HTTP Server Limits

The internal HTTP/S server is very small and light. It supports a fixed number of connections, and each connection will only upload or download a fixed amount of data. These limits are registry configurable.

User Credentials

There are a variety of different credentials that might be put into the system depending on monitoring needs:

ALL of these credentials are encrypted using Microsoft's recommended method of storing credentials via the CryptProtectData function. This encrypts the credentials such that they can only be decrypted on the computer where they are stored.

The encrypted credentials are stored in the registry at:

HKEY_LOCAL_MACHINE\software\ (Wow6432Node if you have it) \PowerAdminServerMonitor\Creds

Disabling Export

There are a few places in the product where the configuration can be exported to disk, with the option to export credentials. This export option can be completely disabled by setting:

HKEY_LOCAL_MACHINE\software\ (Wow6432Node if you have it) \PowerAdminServerMonitor\Protected
[DWORD] DisablePasswordExport = 1

Monitoring Protocols

Communication with individual servers is done using standard protocols (HTTP, Ping, SNMP, Windows RPC for things like Event Logs, Performance Counters, etc).

Communications via Windows RPC is done using standard Windows APIs, which means all communication and access is governed by the Windows security model.

Individual monitors need different permissions depending on what resource is being targeted. Please see Monitoring Permissions for more details.

Database Access

By default, an embedded SQLite database is used to store data. This can be changed to store data in a MS SQL Server database. In that case, the database login needs access to create, update and delete tables and indices. It does not need access to, nor does it try to use any statements that would modify, create or delete individual databases, including the database it stores data in.

 
Power Admin LLC Power Admin Software Trial Downloads Order Power Admin Software Licenses PA Server Monitor Software PA Storage Monitor Software PA File Sight auditing software PA WatchDISK  
Thanks for a really great product. You don't know how much money and time you guys have saved us.
Andreas N., Astra Tech Inc., Sweden more customer quotes...
see customer list...