This is the first in a series of posts about securing your ZENworks Configuration Management server.
Written at: Draper, UT
The usual rules about physical security of production servers should always be followed – depending on your environment this may mean a secure server room with controlled access all the way through to biometric controlled access to a datacenter.
We also recommend the usual operating system level security too; anti-virus, host firewall, controlled access to the console.
The third piece of the security is enforcing good change control and release management. For those of you adopting ITIL best practices this should be relatively easy.
Finally – the ZENworks specific pieces.
There are several configuration files that should be protected on the server. These contain the LDAP proxy credentials for connecting to the user sources (Active Directory or eDirectory) and the ‘server secrets’ for the server.
1. CASA realms
The ZENworks Configuration Management primary server uses CASA to provide cross platform, cross directory authentication and authorisation.
The User Sources are configured within the ZENworks Control Center. (Configuration –> User Sources)
If you look at a configured User Source you will see the connection information:
This information is stored in an xml document on each primary server.
If you look at this file you will see the credentials in cleartext:
<bci:realm desc="Directory" connectorType="org.bandit.ia.connectors.LDAPConnectorInitialCtxFactory" id="zenlab.evilzenscientist.com">
<bci:env prop="java.naming.security.authentication" value="simple" />
<bci:env prop="java.naming.security.principal" value="administrator@zenlab" />
<bci:env prop="java.naming.security.credentials" value="foobarpassword" />
<bci:env prop="java.naming.referral" value="follow" />
<bci:env prop="com.novell.casa.authtoksvc.searchroot" value="OU=ZENlab users,DC=zenlab,DC=evilzenscientist,DC=com" />
<bci:env prop="java.naming.ldap.attributes.binary" value="objectGUID" />
<bci:env prop="com.novell.casa.authtoksvc.directory_type" value="ActiveDirectory" />
It is for this reason that we recommend using a non-privileged LDAP user; auditing that account and also ensuring that access to the ZENWORKS_HOME directory on your primary servers is restricted to administrators.
2. Primary server secrets and keys
The ZENworks Configuration Management primary server also stores the certificates and encrypted connection data on the filesystem.
Always worth protecting the entire content of this directory; also make sure you have a backup copy of this data.