Security requirements
The system authenticates all Fixlets and actions using secure public-key infrastructure (PKI) signatures. PKI uses public/private key pairs to ensure authenticity.
Before installing BigFix, you must
run the Installer on Windows and the script install.sh
on Linux to generate your
own private key and then apply to HCL for a signed certificate containing your
public key. Your private key (which only exists on your computer and is
unknown to anyone else, including HCL) is
encrypted by a password of your choosing, so if someone steals it, they still need to know your
password to be able to use it. Nevertheless, guard it well. Anyone who has the
private key and password for your site, access to the server, and a database login will be able to
apply any action to your Client computers.
Treat your private key just like the physical key to your company front door. Do not leave it lying around on a shared disk. Instead, store it on a removable disk or a secured location and do not lose it. In the physical world, if you lose your master key you have to change all the locks in the building. Similarly, if you lose your digital key, you will need to do a migration to a new authorization key or a fresh installation of the entire system (including all the Clients). It is not unreasonable to store a backup copy of your site level key files in a secured safe deposit box.
During the installation process a server signing key is created and stored as a file on the server machine. Whenever operators issue an action, it is digitally signed by the server signing key, and the client will only trust actions that are signed by that key. Since clients will trust any action signed by the server signing key, it is important to protect the server signing key file. To protect the server signing key file, administrator access to the server machine must be restricted.
Fixlets are also digitally-signed. The Fixlet site author signs each message with a key that can be traced back to the BigFix root for authentication. This signature must match the Fixlet sites masthead, which is placed in the Client install folder when subscribing to the site. This procedure prevents spoofing and man-in-the-middle attacks, and guarantees that the Fixlets you receive are from the original certified author.
There are a few other security-related issues to address before installing BigFix in your organization:
- Make sure the server computer is running Windows Server 2008+ 64 bit with the latest Service Pack available from Microsoft.
- Make sure that the SQL Server is secured with the latest security-related patches.
- Make sure that TCP/IP and UDP on the specified port (default value
is
52311
for all the components, included the console) is completely unblocked at all internal routers and internal firewalls. - Verify that your external router forbids inbound and outbound traffic on the specified port
(default value is
52311
for all the components) so that BigFix-related traffic will be unable to flow into or out of your network.You can administer roaming laptops by putting an authenticating relay in your DMZ. For additional details, see Authenticating relays and servers.
- Verify with your network administrator that you can allow the server to access the Internet via
port 80.The BES Root Server service on Windows and the
beserver
service on Linux access the Internet and by default they run as the SYSTEM account on Windows and as root on Linux.Note: In your environment, if you reach the Internet through a proxy configure the connection as described in Setting up a proxy connection. If you have firewall restrictions, see Configuring a Local Firewall.To maintain a physical disconnect from the Internet, see Downloading files in air-gapped environments.
- Secure the server computers and the SQL database using company or industry-wide standards. Contact your network administrator or database administrator for more information.
Secure the client computers by using company- or industry-wide standards; applying the Principle of Least Privilege (PoLP) is recommended.
- Keep the UAC feature enabled always.
- Avoid seting up user accounts with local administrative privileges.
- Ensure restircted access to the system directory paths (for example, Windows, System32, Program Files (x86), Program Files). Prevent local users from accessing these locations.