Recommendations for the Access Layer

The Access Layer is responsible for user access to both the Web Application and Windows Client. It also controls if any administrative functions can be carried out by the logged in user and can limit what collected data can be viewed.

Accessing the product software requires user authentication with a user name and password. Once a user is logged in, their actions can be further restricted via access controls built into the administrative features.

There are three types of access layer security functions:

Authentication 

A user name and password is required for authentication to use the software. Providing a valid user name and password at login gives access to the Prognosis Server connected to the User Interface, as well as all other Prognosis Servers connected on the same port. Providing an invalid username and/or password gives no access.

Access Control

Access control is normally provided through either the Security dialog box of the Windows Client or the SECURITY Configuration.

The Security dialog box of the Windows Client allows for different levels of access to be assigned for each type of function, such as Databases and Thresholds, for all system users. It does not provide for security at an individual user level nor can it restrict access to command execution.

The SECURITY Configuration can be used through either the Web Application or Windows Client to control the permissions for each individual user to perform tasks on each server and to restrict access to command execution, such as performing tasks using IRCMD.

Role Based Security (Web Application only)

The Web Application includes a 'Role-Based 'Security mechanism. This is used to define a set of capabilities and privileges for Web Application users, such as the Home page that displays when the user logs in and what Navigation Trees they can see in the "View Systems' page. This feature does not affect the Windows Client.

For details see the following sections:

Role Based Security for Web Application

Summary of Recommendations

Login Authentication
Regardless of the authentication mechanism, the following is recommended:
  • Access policy should restrict the number of logon attempts

  • Access policy should set a strong password policy

  • Limit the number of local machine Windows accounts

Limit Authorized Users
In all environments, the following approach is recommended:
  • Limit the number of authorized users that are allowed access to the Web Application

  • Limit the number of authorized users that are allowed access to the Windows Client

LDAP Authentication
In all environments, the following approach is recommended:
  • Use LDAP and, where available, enable TLS on the LDAP server.

Single Sign On
None at this time.

Pluggable Authentication Module Support
None at this time.

Access Control for the Windows Client
In all environments, the following is recommended:
  • Access policy should restrict the number of login attempts

  • Access policy should set a strong password policy

  • Limit the number of local machine Windows accounts

Access to Stop the Service
In all environments, the following approach is recommended:
  • Restrict access to shut down Prognosis to only those administrative users who are permitted to undertake the operation.

SECURITY Configuration
In all environments, the following is recommended:
  • For each authorized user, explicitly specify which functions they are allowed access in the SECURITY Configuration.

  • Ensure that the right to update the SECURITY Configuration is limited to a select few administrative users who understand that the SECURITY Configuration controls access to the administrative features.

Security Logs and Reviews
In all environments, the following approach is recommended:
  • Understand the logs that are available.

  • Review audit logs, as needed, or when an incident occurs that requires investigation.

In high security environments, the following additional actions are recommended:

  • Forward output from all relevant logs to a central SIEM system for monitoring. For the Audit Log, use the built-in Syslog feature where possible. For other logs, forward the file content to the SIEM system periodically.

  • When configuring the Audit Log to be forwarded via Syslog over TCP/IP, enable TLS on the outgoing connection.

Role Based Security for Web Application
In all environments, the following approach is recommended:
  • The 'Public Role', by default, has access to all features, including administration. It is strongly recommended that specific roles be set up for the various groups of users in the environment. Each role should only provide access to the features that are required. Once this is done, remove all access from the 'Public Role'.


Provide feedback on this article