Deployment Solution Security Explained
White Paper
February 10, 2007
© 2007 Altiris Inc. All rights reserved.
About Altiris
Altiris, Inc. is a pioneer of IT lifecycle management software that allows IT organizations to easily manage desktops, notebooks, thin clients, handhelds, industry-standard servers, and heterogeneous software including Windows, Linux, and UNIX. Altiris automates and simplifies IT projects throughout the life of an asset to reduce the cost and complexity of management. Altiris client and mobile, server, and asset management solutions natively integrate via a common Web-based console and repository. For more information, visit www.altiris.com.
NOTICE
INFORMATION IN THIS DOCUMENT: (I) IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY WITH RESPECT TO PRODUCTS OF ALTIRIS OR ITS SUBSIDIARIES (“PRODUCTS”), (II) REPRESENTS ALTIRIS’ VIEWS AS OF THE DATE OF PUBLICATION OF THIS DOCUMENT, (III) IS SUBJECT TO CHANGE WITHOUT NOTICE, AND (IV) SHOULD NOT BE CONSTRUED AS ANY COMMITMENT BY ALTIRIS. EXCEPT AS PROVIDED IN ALTIRIS’ LICENSE AGREEMENT GOVERNING ANY PRODUCTS OF ALTIRIS OR ITS SUBSIDIARIES (“PRODUCTS”), ALTIRIS ASSUMES NO LIABILITY WHATSOEVER, AND DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTIES RELATING TO THE USE OF ANY PRODUCTS, INCLUDING WITHOUT LIMITATION, WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY THIRD PARTY INTELLECTUAL PROPERTY RIGHTS. ALTIRIS ASSUMES NO RESPONSIBILITY FOR ANY ERRORS OR OMISSIONS CONTAINED IN THIS DOCUMENT AND ALTIRIS SPECIFICALLY DISCLAIMS ANY AND ALL LIABILITIES AND/OR OBLIGATIONS FOR ANY CLAIMS, SUITS OR DAMAGES ARISING FROM OR IN CONNECTION WITH THE USE OF, RELIANCE UPON OR DISSEMINATION OFTHIS DOCUMENT AND/OR THE INFORMATION CONTAINED HEREIN.
Altiris may have patents or pending patent applications, trademarks, copyrights, or other intellectual property rights that relate to the Products referenced herein. The furnishing of this document and other materials and information does not provide any license, express or implied, by estoppel or otherwise, to any foregoing intellectual property rights.
No part of this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means without the express written consent of Altiris, Inc.
Customers are solely responsible for assessing the suitability of the Products for use in particular applications. Products are not intended for use in medical, life saving, life sustaining, critical control or safety systems, or in nuclear facility applications.
Copyright © 2006, Altiris, Inc. All rights reserved.
Altiris, Inc.
588 West 400 South
Lindon, UT 84042
Phone: (801) 226-8500
Fax: (801) 226-8506
*Other company names or products mentioned are or may be trademarks of their respective owners.
Information in this document is subject to change without notice. For the latest documentation, visit www.altiris.com.
www.altiris.com
Contents
Summary 1
Console Users and Passwords 2
Rights to the Deployment Server Console Options 4
Permissions 8
Computer Permissions 10
Job Permissions 11
Express Database Security Tables 12
SecurityGroup 12
SecurityGroupMember 12
SecurityPermission 12
SecurityPermissionLink 13
SecurityPrivilege 13
SecurityPrivlegeLink 14
SecurityUser 14
Express Database Security Tables 15
www.altiris.com
Summary
This documents purpose is to explain the components of Deployment Solution Security.
Deployment Solution has three levels of Console Security
· Console Users and Passwords
· Rights to the Deployment Server Console Options
· Permissions
SQL Permission
When a Deployment Solution Console is installed on a computer, an ODBC System DSN is created for access to the express database. The DSN is configured to use “Windows NT authentication using the network login ID”.
When a user clicks on the Deployment Console icon on the desktop, the user is authenticated to the \\%DSSERVER%\express\express.exe file and authenticated to the express database. The user must have DBO permissions to the express database.
If security is enabled, an AD account will be authenticated to the DS. If the currently logged on user is not authenticated, a Deployment Solution console log on dialog is displayed and a Deployment Solution login will be required.
Console Users and Passwords
There are no console users configured out of the box. As such there are no restrictions to who can access the console and the tasks that they can perform.
Users and groups are created on the Options > Security dialog.
Users can be imported from Active Directory or Deployment Solution Users can be created. All users, imported from AD or created in Deployment Solution, must have a password.
The first console user created will receive administrative rights by default.
The screenshot shown below shows a Deployment Solution user called Administrator. This is strictly a Deployment Solution account and is not associated in any way to the system “Administrator” account.
Since this is the first user created, it is given Administrator rights. With Administrator rights, this user will have all permissions and rights to the console.
Once a user is created and security is enabled, users will be required to login to the Deployment Solution Console.
Rights to the Deployment Server Console Options
The second level of security is to give users and/or groups permissions to the “Program Options” dialog (Tools > Options) as well as specific tool bar options. These permissions are located in the SecurityPrivilege table.
Administrator
Options Console
Options Global
Options Domain Accounts
Options RapiDeploy
Options Agent Settings
Options Database Tokens
Options Task Password
Use PXE Configuration Utility
Options Virtual Centers
Manage Rejected Computers
Refresh Clients
Allow Scheduling on All Computers Group
Import/Export
A Deployment Solution administrator will have access to all tabs on the Program Options dialog.
In the screenshot shown below a second user “User1” is created.
A user/group given any of the “Options….” rights will have access to the respective tabs on the “Program Options” dialog.
For example: If “User1” was given only the “Options Console” right, only the Console tab will be available to that user.
A user that does not have the “User PXE Configuration Utility” right will have the PXE Configuration option grayed out.
A user that doesn’t have rights to “Manage Rejected Computers” will get an “Access Denied” message if they attempt to access the “Rejected Computers”.
A user that doesn’t have rights to “Refresh Clients” will get an “Access Denied” message if they click the Reset Client Connections option.
A user that does not have the “Import/Export” permission will have the Import/Export option grayed out.
Permissions
The third level of security it Permissions. Permissions can be applied to Computers and to jobs. Permissions are applied by right-clicking the resource and selecting
Permissions.
An “Object Security” dialog will open. If a user or group is highlighted, the respective permissions will be displayed showing which permissions the user has to the specified resource. The dialog below shows the “Object Security” dialog for Computers.
The dialog below shows the Object Security dialog for jobs.
Computer Permissions
Create ComputersCreate Computer Groups
Modify Object
Delete Object
Restore
Reject Connection
Execute Command
Copy File To
Remote Control
Wake up
Restart
Shutdown
Log off
Prompt User for Properties
Chat
Riloe Power On
Riloe Power Off
Riloe Reset Server
Riloe Interface
Change Agent Settings
Manage Physical Device Change Rules
Schedule Create Disk Image
Schedule Distribute Disk Image
Schedule Modify Configuration
Schedule Distribute Software
Schedule Capture Personality
Schedule Back Up Registry
Schedule Restore Registry
Schedule Copy File to
Schedule Run Script
Schedule Scripted OS Install
Schedule Shut down
Schedule Restart
Schedule Log off
Schedule Wake up
Allow Automation Install
Get Inventory
Reset Connection
Clear Status
Apply Regular License
Install BIS Certificate
Remove BIS Certificate
Automation Agent
Schedule Get Inventory
Delete History
Move Object
FSC power on
FSC power off
FSC reset server name
IBM power on
IBM power off
IBM interface
Dell power on
Dell power off
Dell reset
Dell interface
Job Permissions
Create JobsCreate Job Folders
Modify Object
Delete Object
Create Disk Image
Distribute Disk Image
Modify Configuration
Distribute Software / Personality/ SVS Layer
Capture Personality
Back Up Registry
Restore Registry
Copy File to
Run Script
Scripted OS Install
Shut down
Restart
Log off
Wake up
Get Inventory
Schedule this job
Move Object
After configuring and enabling security it may be necessary to run the Program Files\Altiris\express\Deployment Server\Techsup\Windows\DSDBSEcurity.exe utility to reset the role permissions.
Express Database Security Tables
SecurityGroup
group_id name description ad_group_netbios domain ad_group group_sid ad_group_domain
15000001 Administrators 0
15000007 Remote Control Users 0
15000008 Help Desk 0
SecurityGroupMember
user_id group_id
14000024 15000007
SecurityPermission
id name
1 Create Computers
2 Create Computer Groups
3 Create Jobs
4 Create Job Folders
5 Modify Object
6 Delete Object
7 Restore
8 Reject Connection
9 Execute Command
10 Copy File To
11 Remote Control
12 Wake up
13 Restart
14 Shut down
15 Log off
16 Prompt User for Properties
17 Chat
18 Riloe Power On
19 Riloe Power Off
20 Riloe Reset Server
21 Riloe Interface
22 Change Agent Settings
23 Manage Physical Device Change Rules
24 Create Disk Image
25 Distribute Disk Image
26 Modify Configuration
27 Distribute Software
28 Capture Personality
29 Distribute Personality
30 Back Up Registry
31 Restore Registry
32 Copy File to
33 Run Script
34 Scripted OS Install
35 Shut down
36 Restart
37 Log off
38 Wake up
39 Schedule Create Disk Image
40 Schedule Distribute Disk Image
41 Schedule Modify Configuration
42 Schedule Distribute Software
43 Schedule Capture Personality
44 Schedule Distribute Personality
45 Schedule Back Up Registry
46 Schedule Restore Registry
47 Schedule Copy File to
48 Schedule Run Script
49 Schedule Scripted OS Install
50 Schedule Shut down
51 Schedule Restart
52 Schedule Log off
53 Schedule Wake up
54 Allow Boot Works Install
55 Get Inventory
56 Reset Connection
57 Clear Status
58 Apply Regular License
59 Install BIS Certificate
60 Remove BIS Certificate
61 Bootworks Agent
62 Create Physical Device
63 Get Inventory Task
64 Schedule Get Inventory
65 Delete History
66 Schedule this job
67 Move Object
68 FSC power on
69 FSC power off
70 FSC reset server name
71 IBM power on
72 IBM power off
73 IBM interface
74 Dell power on
75 Dell power off
76 Dell reset
77 Dell interface
SecurityPermissionLink
permission_id user_id object_id allow
11 15000007 -1 1
12 15000007 -1 1
13 15000007 -1 1
14 15000007 -1 1
15 15000007 -1 1
17 15000007 -1 1
11 15000008 -1 1
12 15000008 -1 1
13 15000008 -1 1
14 15000008 -1 1
15 15000008 -1 1
17 15000008 -1 1
27 15000008 1000149 1
32 15000008 1000149 1
33 15000008 1000149 1
35 15000008 1000149 1
36 15000008 1000149 1
37 15000008 1000149 1
38 15000008 1000149 1
SecurityPrivilege
privilege_id name
1 Administrator
2 Options Console
3 Options Global
4 Options Domain Accounts
5 Options RapiDeploy
6 Options Agent Settings
7 Options Database Tokens
12 Options Task Password
13 Use PXE Configuration Utility
14 Options Virtual Centers
8 Manage Rejected Computers
9 Refresh Clients
10 Allow Scheduling on All Computers Group
11 Import/Export
SecurityPrivlegeLink
user_id privilege_id
15000001 1
14000024 2
14000023 1
SecurityUser
user_id name fullname description password ad_user
14000024 rIKS[IuLOF|aIP User1 W[]SZOZIx|dJAPod@ 0
Express Database Security Tables
www.altiris.com Deployment Solution Security Explained > 1