How are passwords stored and encrypted for Carbon Black EDR and Carbon Black App Control? 

• Carbon Black EDR: All Versions
• Carbon Black Application Control: All Versions

Carbon Black EDR:

SOLR and PostGres, these passwords cannot be hashed as they are being used by the EDR server and they need to be retrieved on start-up. They are stored in configuration files and protected using file permissions and there may be a level of obfuscation, however proper encryption is not feasible without also supporting a KMS integration for storing the key, otherwise the key would also be stored locally.

These credentials are only valid in the context of the EDR server because by default SOLR and PostGres are restricted to localhost. The attacker would have to be a local administrator to obtain them in which case they would be able to do anything anyways.

The only ports that should be open for inbound communication should be Sensor (443) and WebUI (443 unless custom). For clustered instances there is talk between nodes over service ports. For recommended local firewall rules you can use the /usr/share/cb/cbcheck firewall -L command on each node to see them and -a to apply. 

Carbon Black Application Control:

AppC uses named pipes to connect to MSSQL so no passwords are stored there.

Both Products:

Console user passwords, we recommend to all customers to integrate with their enterprise Single Sign On. This allows control of user access and password management and even enforce MFA. Both products support such integrations. Both products hash and salt passwords used for the out of the box product authentication using valid algorithms. Both products can support FIPS mode and have gone through Common Criteria, which should give some confidence on the encryption algorithms and libraries being used.