Deployment Solution Security Explained

Deployment Solution Security Explained

White Paper

February 10, 2007

© 2007 Altiris Inc. All rights reserved.

About Altiris

Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit www.altiris.com.

NOTICE

INFORMATION IN THIS DOCUMENT: (I) IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY WITH RESPECT TO PRODUCTS OF ALTIRIS OR ITS SUBSIDIARIES (“PRODUCTS”), (II) REPRESENTS ALTIRIS’ VIEWS AS OF THE DATE OF PUBLICATION OF THIS DOCUMENT, (III) IS SUBJECT TO CHANGE WITHOUT NOTICE, AND (IV) SHOULD NOT BE CONSTRUED AS ANY COMMITMENT BY ALTIRIS. EXCEPT AS PROVIDED IN ALTIRIS’ LICENSE AGREEMENT GOVERNING ANY PRODUCTS OF ALTIRIS OR ITS SUBSIDIARIES (“PRODUCTS”), ALTIRIS ASSUMES NO LIABILITY WHATSOEVER, AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTIES RELATING TO THE USE OF ANY PRODUCTS, INCLUDING WITHOUT LIMITATION, WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHTS. ALTIRIS ASSUMES NO RESPONSIBILITY FOR ANY ERRORS OR OMISSIONS CONTAINED IN THIS DOCUMENT AND ALTIRIS SPECIFICALLY DISCLAIMS ANY AND ALL LIABILITIES AND/OR OBLIGATIONS FOR ANY CLAIMS, SUITS OR DAMAGES ARISING FROM OR IN CONNECTION WITH THE USE OF, RELIANCE UPON OR DISSEMINATION OFTHIS DOCUMENT AND/OR THE INFORMATION CONTAINED HEREIN.

Altiris may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the Products referenced herein. The furnishing of this document and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any foregoing intellectual property rights.

No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Altiris, Inc.

Customers are solely responsible for assessing the suitability of the Products for use in particular applications. Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications.

Copyright © 2006, Altiris, Inc. All rights reserved.

Altiris, Inc.

588 West 400 South

Lindon, UT 84042

Phone: (801) 226-8500

Fax: (801) 226-8506

*Other company names or products mentioned are or may be trademarks of their respective owners.

Information in this document is subject to change without notice. For the latest documentation, visit www.altiris.com.

www.altiris.com

Contents

Summary 1

Console Users and Passwords 2

Rights to the Deployment Server Console Options 4

Permissions 8

Computer Permissions 10

Job Permissions 11

Express Database Security Tables 12

SecurityGroup 12

SecurityGroupMember 12

SecurityPermission 12

SecurityPermissionLink 13

SecurityPrivilege 13

SecurityPrivlegeLink 14

SecurityUser 14

Express Database Security Tables 15

www.altiris.com

Summary

This documents purpose is to explain the components of Deployment Solution Security.

Deployment Solution has three levels of Console Security

·  Console Users and Passwords

·  Rights to the Deployment Server Console Options

·  Permissions

SQL Permission

When a Deployment Solution Console is installed on a computer, an ODBC System DSN is created for access to the express database. The DSN is configured to use “Windows NT authentication using the network login ID”.

When a user clicks on the Deployment Console icon on the desktop, the user is authenticated to the \\%DSSERVER%\express\express.exe file and authenticated to the express database. The user must have DBO permissions to the express database.

If security is enabled, an AD account will be authenticated to the DS. If the currently logged on user is not authenticated, a Deployment Solution console log on dialog is displayed and a Deployment Solution login will be required.

Console Users and Passwords

There are no console users configured out of the box. As such there are no restrictions to who can access the console and the tasks that they can perform.

Users and groups are created on the Options > Security dialog.

Users can be imported from Active Directory or Deployment Solution Users can be created. All users, imported from AD or created in Deployment Solution, must have a password.

The first console user created will receive administrative rights by default.

The screenshot shown below shows a Deployment Solution user called Administrator. This is strictly a Deployment Solution account and is not associated in any way to the system “Administrator” account.

Since this is the first user created, it is given Administrator rights. With Administrator rights, this user will have all permissions and rights to the console.

Once a user is created and security is enabled, users will be required to login to the Deployment Solution Console.

Rights to the Deployment Server Console Options

The second level of security is to give users and/or groups permissions to the “Program Options” dialog (Tools > Options) as well as specific tool bar options. These permissions are located in the SecurityPrivilege table.

Administrator

Options Console

Options Global

Options Domain Accounts

Options RapiDeploy

Options Agent Settings

Options Database Tokens

Options Task Password

Use PXE Configuration Utility

Options Virtual Centers

Manage Rejected Computers

Refresh Clients

Allow Scheduling on All Computers Group

Import/Export

A Deployment Solution administrator will have access to all tabs on the Program Options dialog.

In the screenshot shown below a second user “User1” is created.

A user/group given any of the “Options….” rights will have access to the respective tabs on the “Program Options” dialog.

For example: If “User1” was given only the “Options Console” right, only the Console tab will be available to that user.

A user that does not have the “User PXE Configuration Utility” right will have the PXE Configuration option grayed out.

A user that doesn’t have rights to “Manage Rejected Computers” will get an “Access Denied” message if they attempt to access the “Rejected Computers”.

A user that doesn’t have rights to “Refresh Clients” will get an “Access Denied” message if they click the Reset Client Connections option.

A user that does not have the “Import/Export” permission will have the Import/Export option grayed out.

Permissions

The third level of security it Permissions. Permissions can be applied to Computers and to jobs. Permissions are applied by right-clicking the resource and selecting

Permissions.

An “Object Security” dialog will open. If a user or group is highlighted, the respective permissions will be displayed showing which permissions the user has to the specified resource. The dialog below shows the “Object Security” dialog for Computers.

The dialog below shows the Object Security dialog for jobs.

Computer Permissions

Create Computers
Create Computer Groups
Modify Object
Delete Object
Restore
Reject Connection
Execute Command
Copy File To
Remote Control
Wake up
Restart
Shutdown
Log off
Prompt User for Properties
Chat
Riloe Power On
Riloe Power Off
Riloe Reset Server
Riloe Interface
Change Agent Settings
Manage Physical Device Change Rules
Schedule Create Disk Image
Schedule Distribute Disk Image
Schedule Modify Configuration
Schedule Distribute Software
Schedule Capture Personality
Schedule Back Up Registry
Schedule Restore Registry
Schedule Copy File to
Schedule Run Script
Schedule Scripted OS Install
Schedule Shut down
Schedule Restart
Schedule Log off
Schedule Wake up
Allow Automation Install
Get Inventory
Reset Connection
Clear Status
Apply Regular License
Install BIS Certificate
Remove BIS Certificate
Automation Agent
Schedule Get Inventory
Delete History
Move Object
FSC power on
FSC power off
FSC reset server name
IBM power on
IBM power off
IBM interface
Dell power on
Dell power off
Dell reset
Dell interface

Job Permissions

Create Jobs
Create Job Folders
Modify Object
Delete Object
Create Disk Image
Distribute Disk Image
Modify Configuration
Distribute Software / Personality/ SVS Layer
Capture Personality
Back Up Registry
Restore Registry
Copy File to
Run Script
Scripted OS Install
Shut down
Restart
Log off
Wake up
Get Inventory
Schedule this job
Move Object

After configuring and enabling security it may be necessary to run the Program Files\Altiris\express\Deployment Server\Techsup\Windows\DSDBSEcurity.exe utility to reset the role permissions.

Express Database Security Tables

SecurityGroup

group_id name description ad_group_netbios domain ad_group group_sid ad_group_domain

15000001 Administrators 0

15000007 Remote Control Users 0

15000008 Help Desk 0

SecurityGroupMember

user_id group_id

14000024 15000007

SecurityPermission

id name

1 Create Computers

2 Create Computer Groups

3 Create Jobs

4 Create Job Folders

5 Modify Object

6 Delete Object

7 Restore

8 Reject Connection

9 Execute Command

10 Copy File To

11 Remote Control

12 Wake up

13 Restart

14 Shut down

15 Log off

16 Prompt User for Properties

17 Chat

18 Riloe Power On

19 Riloe Power Off

20 Riloe Reset Server

21 Riloe Interface

22 Change Agent Settings

23 Manage Physical Device Change Rules

24 Create Disk Image

25 Distribute Disk Image

26 Modify Configuration

27 Distribute Software

28 Capture Personality

29 Distribute Personality

30 Back Up Registry

31 Restore Registry

32 Copy File to

33 Run Script

34 Scripted OS Install

35 Shut down

36 Restart

37 Log off

38 Wake up

39 Schedule Create Disk Image

40 Schedule Distribute Disk Image

41 Schedule Modify Configuration

42 Schedule Distribute Software

43 Schedule Capture Personality

44 Schedule Distribute Personality

45 Schedule Back Up Registry

46 Schedule Restore Registry

47 Schedule Copy File to

48 Schedule Run Script

49 Schedule Scripted OS Install

50 Schedule Shut down

51 Schedule Restart

52 Schedule Log off

53 Schedule Wake up

54 Allow Boot Works Install

55 Get Inventory

56 Reset Connection

57 Clear Status

58 Apply Regular License

59 Install BIS Certificate

60 Remove BIS Certificate

61 Bootworks Agent

62 Create Physical Device

63 Get Inventory Task

64 Schedule Get Inventory

65 Delete History

66 Schedule this job

67 Move Object

68 FSC power on

69 FSC power off

70 FSC reset server name

71 IBM power on

72 IBM power off

73 IBM interface

74 Dell power on

75 Dell power off

76 Dell reset

77 Dell interface

SecurityPermissionLink

permission_id user_id object_id allow

11 15000007 -1 1

12 15000007 -1 1

13 15000007 -1 1

14 15000007 -1 1

15 15000007 -1 1

17 15000007 -1 1

11 15000008 -1 1

12 15000008 -1 1

13 15000008 -1 1

14 15000008 -1 1

15 15000008 -1 1

17 15000008 -1 1

27 15000008 1000149 1

32 15000008 1000149 1

33 15000008 1000149 1

35 15000008 1000149 1

36 15000008 1000149 1

37 15000008 1000149 1

38 15000008 1000149 1

SecurityPrivilege

privilege_id name

1 Administrator

2 Options Console

3 Options Global

4 Options Domain Accounts

5 Options RapiDeploy

6 Options Agent Settings

7 Options Database Tokens

12 Options Task Password

13 Use PXE Configuration Utility

14 Options Virtual Centers

8 Manage Rejected Computers

9 Refresh Clients

10 Allow Scheduling on All Computers Group

11 Import/Export

SecurityPrivlegeLink

user_id privilege_id

15000001 1

14000024 2

14000023 1

SecurityUser

user_id name fullname description password ad_user

14000024 rIKS[IuLOF|aIP User1 W[]SZOZIx|dJAPod@ 0

Express Database Security Tables

www.altiris.com Deployment Solution Security Explained > 1