/build/static/layout/Breadcrumb_cap_w.png

Kace client security issue, can the client have a passphrase to authenticate to a server?

Howdy,


So my question, as above, can we set a client password that is required to check in to the KACE box? Or is there some kind of private key/public key encryption authentication mechanism? What are the drawbacks of implementing this if it is possible?

If your KACE appliance is open to the internet for checking-in of your users what is there to prevent a potential malicious connection from a modified client?   


We just had an interesting situation here, where a computer that is not ours and is from another organization checked in to our KACE system.   They also use KACE, and unfortunately both our DNS records are the same which is what allowed this client to check into our system.  This system was able to run the scripts that we use and now has desktop shortcuts onto the system that are for us internally. I also do not know the extent of other things that have been modified. My counterpart at the other agency and I plan to go over and check on the system to figure out what has occurred.


Obviously I'll be changing the DNS record of our system, but was wondering if there was anything more that could be done. Thanks!


Asked 5 years ago 467 views
4 Comments   [ + ] Show comments
  • I'm not an expert on that sort of thing, but do either appliance have certificates in place? - ondrar 5 years ago
    • On our environment no, I am not certain on the other environment but I would also have to guess that would be no. - omorganx 5 years ago
  • If the two appliances were completely identical except that they had certificates in place, the certificate mismatch should prevent agent from one to talking to the other server. - ondrar 5 years ago
    • You're talking specifically a standard SSL cert? - omorganx 5 years ago
  • Yes, in Settings > Control Panel > Security Settings > SSL. - ondrar 5 years ago
    • Thanks, I will add one of those. - omorganx 5 years ago
  • this sounds really unlikely, since the agent communication uses a certificate for the box only (no matter if the webui uses SSL or not)
    OLD agents (6.4 and before) were not encrypted by default but they are not checking in anymore since 8.0 because of the changes of the agent communication.

    I suggest to contact support to check and if there is an option to make it more secure it can be done.
    A good idea would be a KAT from the "evil" system.
    You can create a script which runs on this system only and uploads a KAT. See here: https://support.quest.com/kb/263376

    In the zip there is a document how to setup the KAT so it runs on a client, collects the nessesary informations and uploads it to the KACE. - Nico_K 5 years ago
    • So you're suggesting that I run KAT to gather data on the offending machine then open a ticket with Quest/KACE support? (That was my next plan once I meet my counterpart to go investigate this system.)

      I do know the client on the machine is 7.2, our KACE server is 9.0, I don't know what the other KACE server's version is but I do know both servers share the same name. We've been using our KACE since before 6.4 is it possible that we're not encrypted by default? - omorganx 5 years ago
      • run the KAT on this system to check what it is and really a "foreign" system or just a "lost" one.
        And open a SR with KACE for discussing the options you have. - Nico_K 5 years ago

Answers (0)

Be the first to answer this question

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ