8 years ago
Read only agent / collector
I know I've brought this up before, but I'd like to bring it up again. LM's requirement that collectors run as local admins (or system) is a GAPING security hole in your product. No amount of cer...
@Matthew Dunham I haven't had any luck finding a KB or how-to on running an LM collector as a non-admin account. The few articles I have found here https://www.logicmonitor.com/support/getting-started/i-just-signed-up-for-logicmonitor-now-what/3-adding-collectors/ and here https://www.logicmonitor.com/support/getting-started/advanced-logicmonitor-setup/running-without-administrator-privileges-in-windows/ only discuss setting up a collector with admin rights or stating "not supported and not reccomended" in the verbiage. So if you could point me to a doc, that show how to run as a non-admin, with *supported* in the verbiage, I'll be happy to give it a go.
In regards to this comment " Although many of our customers prefer to run their Windows Collectors as a local admin or system account " I get that. I like things that are really easy to. But the easy way and the right way are two different thing. There was a time when everyone used to run as a local admin on their desktops (easy way). Then we realized that was dumb, and security conscious companies started running as non-local admin accounts (right way). You shouldn't let customer preference determine proper security. it's one thing if you provide a *good* option to run your solution in a secure manner and the customer ignores it. It's totally different if you don't provide a good option and basically make the customer jump through a million hoops to lock down the gaping holes in your solution. You guys IMO fall into the latter. You suggest we run an RBAC all the while having a solution that's founded on local admin rights. Those two don't go together. RBAC is based on a principle that you start out in a 100% locked down configuration, and only delegate the minimum needed rights.
I acknowledge that Microsoft has created a pretty terrible solution for remote polling, but it is what it is and its not going to change. Centrally managing WMI + DCOM rights TMK doesn't exist, at least not easily. Centrally managing MSI (agents) though is relatively speaking a trivial task. I don't love the idea of having to update 700+ devices every time there's a new update, but comparing that to having a solution that's one exploit or hack away from destroying my environment, I'll take it. You need to realize how dangerous your solution is to windows environments, and frankly your customers should really start pondering it. One person hacks and admin login, and that customer is toast. Create an active discovery script with a single line of "shutdown -f -t 0" and every windows system being monitor will shutdown until the collector shuts its self down. or even worse, deploy an active discovery script that downloads malware or some other dangerous thing and again, goes to down. You can come back and say signing will solve all of this, but it doesn't really. It reduces the vector, but it doesn't eliminated it. There's always a chance there's an exploit in the JVM you use, which would allow someone to bypass the signing. Having that JVM (or whatever agent service tech) run as an account that's not a local admin would mitigate most if not all of those issues. Sure, there is still a chance there's an exploit, but at that point, its on MS and not you guys, which is honestly what you should want.
In general though, I'm not asking that LM change its architecture so that it ONLY works the way I requested, I'm asking for an enhancement for those of us that actually care about security in our windows environment. I'm going to make a pretty bold statement, and say that if you're ok with running LM collectors under a service account that has full admin rights across every server it polls, that you don't care about security. IMO, running full blown collectors on every system is a hack, and not a good long term solution. You guys really need an agent, and I get that maybe it means a lot of changes on your end. However, its the right solution long term for a secure windows environment.
You guys make a kick butt monitoring solution, so I'm not trying to be disparaging, but this is a huge issue IMO. I've brought this up several times and each time its either its "too hard" or its dismissed as a non-issue. I'm glad you've added many of my requested features, but I think this is one that deserves some serious consideration. I would love to chat more in person about ideas if you guys do decided to pursue it further. I have a few ideas on how I'd love to see it implemented.
@Mosh I get what you're saying, but it's the only way Windows will let you easily poll data without admin credentials. Going agentless + no admin rights is WAY harder to deal with than installing an agent + no admin rights.