Restricting Package Access Credentials
The Symantec Management Platform (SMP) agent installed on managed endpoints and package servers uses credentials to retrieve packages. From a security best practice perspective, the privileges associated with the package credentials should be set to the minimum level required to access the packages while not allowing access to other network resources. This article provides best practices for reducing the privilege and permissions associated with the credentials used to access software packages. It explains the different levels of Symantec Management Platform credentials and then walks you through the process of limiting access to the credentials so that they cannot be used to access other network resources.
About Symantec Management Platform (SMP) credentials
The SMP lets you define three levels of credentials with varying degrees of privileges and permissions.
- The Application Identity account is set up during installation. It provides all the necessary and all-encompassing privileges for Notification server to run if no other credentials are configured. The Application Identity is the only account set up by default. The other two credentials will default to the Application Identity if they are not configured.
- The Agent Connectivity Credential (ACC) is used by the Package Server Agent to add file-based security to downloaded package files, if so configured. If the ACC is not set, then the agents will use the Application Identity (application credential) by default. At minimum, Symantec recommends that you specify different credentials for the ACC.
- Distribution Point Credential (DPC). This credential, if configured, is used by the Notification Server to connect to Software Delivery packages that have a UNC share as a source. Such packages are published by the Notification Server via a virtual directory that uses the DPC to connect to the specified UNC share.
Using DPC and UNC shares for Software Delivery packages allows packages to be staged in a location that is not generally accessible to the Agent Connectivity Credential (ACC.)
If the DPC credential is not set, the agents and package servers use either the Agent Connectivity Credential (ACC) or the Application Identity to try to retrieve packages. For a more granular separation of rights and privileges, Symantec recommends that you configure the DPC credential with a distinct user name and password.
Step 1: Create a unique domain/workgroup account
Before you restrict package access credentials within the Symantec Management Platform, you should limit the access level of the Active Directory domain account or Windows Workgroup local user account that functions as the Notification Server service account. How you do this depends on your specific setup. Symantec recommends that you create a unique set of credentials for access to package storage credentials on the Symantec Management platform. You should ensure that the account is a “least privilege access” account.
Step 2: Configure Symantec Management Platform credentials
Next, you should make sure that your Symantec Management Platform credentials are defined in a more granular fashion. At minimum, set the Agent Connectivity Credential to be different from the Application Identity.
1) To configure the Agent Connectivity Credential (ACC) in the Symantec Management Console:
a) In a 7.x environment, navigate to Settings > Agents/Plug-ins > Symantec Management Agent > Settings > Symantec Management Agent Settings – Global > Authentication tab. Click Use these credentials and provide credentials different from the application credentials.
b) In a 6.x environment, navigate to Configuration > Server Settings > Notification Server Infrastructure > Package Servers > Settings.
2) To configure a Distribution Point Credential in the Symantec Management Console:
a) In a 7.x environment, navigate to Settings > Notification Server > Notification Server Settings > Distribution Point Credential tab. Click Use these credentials and provide unique credentials.
b) In a 6.x environment, navigate to Configuration > Server Settings > Advanced Notification Server Settings > Distribution Point Credential (DPC).