Moderate – HP Systems Insight Manager User Manual
Page 116
•
The CMS requires a user name and password to access WMI data on Windows systems. By
default, a domain administrator account can be used for this, but you should use an account
with limited privileges for WMI access. You can configure the accounts accepted by each
Windows managed system by using the Computer Management tool:
1.
Select the WMI Control item.
2.
Right-click WMI Control, and then select Security.
3.
Select the Security tab, select Root namespace, and then click Security>
4.
Add a user to access WMI data along with their access rights. The enable account and
remote enable permissions options must be enabled for correct operation of HP SIM.
5.
The user name and password specified here must be configured in the CMS.
•
Set up user accounts for Insight Web Agents
•
Add the CMS SSH public key to the system's trusted key store by running mxagentconfig
on the CMS.
•
Configure trust relationship option for Insight Web Agents; import the CMS SSL certificate if
set to trust by certificate.
CAUTION:
Establishing the trust by certificate for HP SMH enables any HP SIM user to gain
administrative access to the HP SMH hosts. This enables the HP SIM user to execute any command
remotely on the HP SMH host.
How to: lockdown versus ease of use on Windows systems
Moderate
The HP Insight Management Agents should be configured to trust by certificate. This requires
distributing the HP SIM certificate, which includes the public key, to all the managed systems. After
the systems have been configured to trust the HP SIM system, they will accept secure commands
from that particular system only.
This certificate can be distributed in a number of different ways, including:
•
Use the Configure or Repair Agents Set Trust Relationship option in HP SIM to deploy the HP
SIM certificate to the managed systems. Depending on the managed system, this might use
SSL or Windows network connections to copy files and configure the managed systems.
•
Use the Web-based interface in an individual Insight Management Agent to specify the HP
SIM system to trust. This causes the agents to pull the digital certificate from the HP SIM system
immediately, enables you to verify it, and then sets up the trust relationship. While this option
does have some limited vulnerability, it would be possible to spoof the HP SIM system at the
time the certificate is pulled and thus set up an unexpected trust relationship. However, it is
reasonably secure for most networks.
•
Import the HP SIM certificate during initial installation of the Insight Management Agents. This
can be done manually during an attended installation or through the configuration file in an
unattended one. This method is more secure because there is little opportunity for the spoofing
attack described above.
•
If you have already deployed the Insight Management Agent, you can distribute the security
settings file and the HP SIM certificate directly to the managed systems using operating system
security.
116
Understanding HP SIM security