Disabling the default admin account in Messaging Gateway

book

Article ID: 197092

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

A common security best practice is to disable default administrative accounts to reduce a potential attacker's information when attempting to gain access to the system. If a default administrative account remains active, the attacker already knows the first part of the credentials needed to gain access to the system, a user name with administrative rights / access.

 

Resolution

Control Center GUI

Currently the default 'admin' account on Messaging Gateway cannot be disabled or removed but can have it's access level in the Messaging Gateway Control Center GUI significantly reduced as follows:

  1. Create an alternate local account on SMG via Administration > Administrators or set up an LDAP based administrator group via Administration > Policy Groups
  2. Assign that local account or admin policy group "Full Admin Rights"
  3. Open the "admin" account in Administration > Administrators and change the administration policy by either selecting an existing administration policy or creating a new one.

An administration policy must have at least one "right" on the system so a "No Access" policy with all rights disabled cannot be created.

Admin command line (CLI)

Currently, command line accounts can neither be created or removed. All SMG system have an active "admin" command line account. It is recommended that access to port 22 be restricted at the network firewall at additionally that access to the command line be restricted to trusted networks or network "jump hosts" via the sshd-config command.