Change default Passwords:
Even if the KACE SDA or the RSA is set up to use LDAP authentication, there remains one local user “admin”. This account can not be deleted so it is imperative its default password be changed right after system installation.
Change the local admin password on the KACE SDA or the RSA, log in to the WebUI.
Appliances on older version go to Settings & maintenance | Control Panel | Users.
Appliances on latest version navigate to Settings | Users.
Click on the “admin” user and fill in the Password fields and then click the “save” button.
The K2000 also has passwords for its Samba shares, its Boot Manager, and the KBE VNC Server ( if not disabled ). These should also be changed from their defaults after the system is installed.
Note: Changing the Samba share password will also require rebuilding all the KBE's on the K2000 as the password is stored within the KBE itself and KBE's created before the password change will no longer function properly.
To change the K2000 default passwords
Older systems navigate to Settings & Maintenance | Control Panel. Then scroll to the bottom of the screen and hit the “edit” button.
Scroll up to the top and enter the password for the Samba Shares, Boot Manager and/or VNC password.
Then scroll to the bottom and click the “save” button.
Older later versions navigate to Settings | General Settings.
Enter the new password for the Samba Shares, Boot Manager and/or VNC Password.
Then scroll to the bottom and click the “save” button.
LDAP Security:
If using an LDAP server for authentication, ensure the LDAP server is following LDAP securities best practices.
http://msdn.microsoft.com/en-us/library/aa913688.aspx
Note that LDAP authentication is only used for logging into the WebUI and is not used for the KACE SDA Samba shares, Boot Manager, or VNC server passwords.
Network Security:
It is recommended the KACE SDA and the RSA not use public IP addresses. Further it is recommended there be no Internet ingress to either the KACE SDA or the RSA. Should the Internet be required for communication between a KACE SDA and its RSA then both appliances should be behind a firewall which opens only ports 80, 443, and 22 between the KACE SDA IP address and the RSA IP address blocking all other Internet IP addresses from access.
If Internet access to the KACE SDA WebUI is required, then SSL should be enabled on the KACE SDA and a Firewall rule set to allow only port 443 to access the K2000 or the RSA. Even with SSL active, no other ports including port 22 on the KACE SDA or the RSA should be open for general Internet access, and should only be opened for specific (KACE SDA or RSA ) IP addresses. Keep in mind that SSL does not encrypt Samba, Boot Manager, or VNC traffic.
To enable tether support and driver feed access, insure the KACE SDA and RSA have egress to the Internet on port 22, 80, and 443.
Recovery Account (CVE-2011-4046)
Arbitrary Command Execution (CVE-2011-4047)
Account Info Disclosure (CVE-2011-4048)
Cross-site Scripting (XSS) Vulnerabilities (CVE-2011-4436)
In addition, we test the K2000 for XSS vulnerabilities using standard network security tools such as OpenVAS and QualysGuard. Occasionally, these tools may miss a vulnerability. If any are discovered, we endeavor to correct them as quickly as possible.
XSS vulnerabilities reported thus far require authenticated access to the KACE SDA administrative interface in a role which can get to particular URLs.
We recommend that our customers use browsers, such as Chrome, and browser plug-ins, such as NoScript, which mitigate XSS vulnerabilities in all websites.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center