Client Management Suite

 View Only

  • 1.  Can I create an encrypted dataclass

    Posted Nov 08, 2011 06:17 PM

    Hi Folks,

    I have a requirement to collect password details from laptops, and we have this setup ok.

    But our IT Security wants to see if that field in the database can be encrypted?

    The way this would need to work is that from within the Altiris console the field displays clear text, but If I was to go to the Symantec_CMDB and look up the dataclass the data would be encrypted.

    Has anyone ever done anything like this?  is this even possible?

    Thanks,

     

    Mick
    AU



  • 2.  RE: Can I create an encrypted dataclass

    Posted Nov 09, 2011 02:22 AM

    Are your passwords saved plain text on your laptops in the first place? Or are you talking about username-hashkey association?



  • 3.  RE: Can I create an encrypted dataclass

    Posted Nov 09, 2011 07:44 AM

    You should use SSL to transmit the data by installing a self-signed cert on the SMP, installing the self-signed cert through Group Policy, and then sending targeted agent settings that use port 443 instead of port 80.  Then modify scoping and security for everyone except the Symantec Administrators so that no-one has permissions to this custom data class.  The data is now being transferred securely and only Symantec Administrators can view it or report on it.

    Does this help?



  • 4.  RE: Can I create an encrypted dataclass

    Posted Nov 09, 2011 06:18 PM

    So the scenario is:

    We are using Asset Management solution for all our desktops/notebooks, and each notebook has an individual administrator password.  This password was previously recorded to a Lotus Notes DB, but now we want to create a new data class in Altiris and make this field available from within the CI screen.

    The data class would have read/write access from Symantec Admins role, and 1x Custom Role (Helpdesk)

    So far pretty easy, the fear from ITSA is that someone (i don't know who) could connect to the SQL Server and read the field from the database directly.

    We are investigating the SSL option, but even if this was implemented - I think the above would still be true?



  • 5.  RE: Can I create an encrypted dataclass

    Posted Nov 14, 2011 09:29 AM

    There would have to be a module, that encrypts values, saves them into the database and decrypts them for a specific management platform security role to be displayed in the management console. I'm not aware of such a module.



  • 6.  RE: Can I create an encrypted dataclass

    Posted Nov 14, 2011 10:00 AM

    Hi mickwearn,

    Are you using a Custom Inventory script to collect these passwords?



  • 7.  RE: Can I create an encrypted dataclass

    Posted Nov 20, 2011 04:26 PM

    No - The service centre guys just enter them in, and look them up as needed.  I think the only option we have is to restrict read access to the field.