Manualshelf

A.05.70 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2011, 5900-1735)

ManualsBrandsHP ManualsSoftwareHP Insight Remote Support Advanced Software
31323334353637383940
and log the event. Credentials can be regenerated and exchanged between CMS nodes and managed
systems using the System Insight Manager command line and certificate import and export utilities.
2.13 Browser security
2.13.1 SSL
All communication between the browser and the CMS or any managed server occurs using HTTP over SSL,
i.e., HTTPS. Any navigation using HTTP (not using SSL) is either denied or automatically redirected to HTTPS.
2.13.2 Cookies
Although cookies are required to maintain a logged in session, only a session identifier is maintained in the
cookie. No confidential information is stored in the cookie. All cookies are marked as secure and therefore
must be transmitted over SSL.
2.13.3 Passwords
All password fields displayed by HP Systems Insight Manager and the Insight Remote Support Advanced
application do not display cleartext passwords. Passwords transmitted between the browser and CMS as
well as between the CMS and managed devices are encrypted using SSL/TLS and transmitted over HTTPS.
2.13.4 Operating System dependencies
User accounts and authentication
The HP Systems Insight Manager and Insight Remote Support Advanced system accounts are
authenticated against the CMS host operating system. Any operating system features that affects user
authentication will affect signing into HP Systems Insight Manager and Insight Remote Support Advanced.
The operating system of the CMS can implement a lock-out policy to disable an account after a specified
number of invalid sign in attempts. Additionally, an account can be manually disabled in the Microsoft®
Window domain. Any account that cannot authenticate against the operating system prevents signing
into the HP SIM and Insight RSA using that account.
NOTE: A user, who is already signed into HP Systems Insight Manager is not re-authenticated against
the operating system until the next sign in attempt and continues to remain signed into HP Systems
Insight Manager, retaining all rights and privileges therein, until signing out of HP Systems Insight
Manager.
IMPORTANT: If creating operating system accounts exclusively for HP Systems Insight Manager
accounts, give users the most limited set of operating system privileges necessary to accomplish the
required function. Any root or administrator accounts should be properly guarded. Configure all
password restrictions, lock-out policies, and user profiles in the operating system.
File system
Access to the file system should be restricted to protect the object code of HP Insight Remote Support
Advanced. Inadvertent modifications to the object code can adversely affect the operation of Insight
RSA. Malicious modification can allow for covert attacks, such as capturing sign in credentials or
modifying commands to managed systems. Read-level access to the file system should also be controlled
to protect sensitive data such as private keys and passwords, which are stored in a recoverable format
on the file system. The Insight Remote Support Advanced installation wizard sets appropriate restrictions
on the application files and directories. These restrictions should not be changed because this could
adversely impact the operation of Insight RSA or allow unintended access to the files.
Signed applet
Previous versions of HP Systems Insight Manager use a Java plug-in that may additionally display a
warning about trusting a signed applet. Those previous versions of HP Systems Insight Manager use
an applet signed by Hewlett-Packard Company, whose certificate is signed by VeriSign.
34 HP Insight Remote Support Advanced