Recommendations for the Access Layer
The Access Layer is responsible for user access to both the Web Application and Windows Client. It also controls if any administrative functions can be carried out by the logged in user and can limit what collected data can be viewed.
Accessing the product software requires user authentication with a user name and password. Once a user is logged in, their actions can be further restricted via access controls built into the administrative features.
There are three types of access layer security functions:
Authentication
A user name and password is required for authentication to use the software. Providing a valid user name and password at login gives access to the Prognosis Server connected to the User Interface, as well as all other Prognosis Servers connected on the same port. Providing an invalid username and/or password gives no access.
For details see the following sections: |
Access Control
Access control is normally provided through either the Security dialog box of the Windows Client or the SECURITY Configuration.
The Security dialog box of the Windows Client allows for different levels of access to be assigned for each type of function, such as Databases and Thresholds, for all system users. It does not provide for security at an individual user level nor can it restrict access to command execution.
The SECURITY Configuration can be used through either the Web Application or Windows Client to control the permissions for each individual user to perform tasks on each server and to restrict access to command execution, such as performing tasks using IRCMD.
For details see the following sections: |
Role Based Security (Web Application only)
The Web Application includes a 'Role-Based 'Security mechanism. This is used to define a set of capabilities and privileges for Web Application users, such as the Home page that displays when the user logs in and what Navigation Trees they can see in the "View Systems' page. This feature does not affect the Windows Client.
For details see the following sections: |
Summary of Recommendations
Access policy should restrict the number of logon attempts
Access policy should set a strong password policy
Limit the number of local machine Windows accounts
Limit the number of authorized users that are allowed access to the Web Application
Limit the number of authorized users that are allowed access to the Windows Client
Use LDAP and, where available, enable TLS on the LDAP server.
Access policy should restrict the number of login attempts
Access policy should set a strong password policy
Limit the number of local machine Windows accounts
Restrict access to shut down Prognosis to only those administrative users who are permitted to undertake the operation.
For each authorized user, explicitly specify which functions they are allowed access in the SECURITY Configuration.
Ensure that the right to update the SECURITY Configuration is limited to a select few administrative users who understand that the SECURITY Configuration controls access to the administrative features.
Understand the logs that are available.
Review audit logs, as needed, or when an incident occurs that requires investigation.
In high security environments, the following additional actions are recommended:
Forward output from all relevant logs to a central SIEM system for monitoring. For the Audit Log, use the built-in Syslog feature where possible. For other logs, forward the file content to the SIEM system periodically.
When configuring the Audit Log to be forwarded via Syslog over TCP/IP, enable TLS on the outgoing connection.
The 'Public Role', by default, has access to all features, including administration. It is strongly recommended that specific roles be set up for the various groups of users in the environment. Each role should only provide access to the features that are required. Once this is done, remove all access from the 'Public Role'.