Home > Enable Agent Proxy, Security > Security Risk of Enabling Agent proxy

Security Risk of Enabling Agent proxy

This was a great post by Dan Rogers on the potential security risks of enabling Agent Proxy:

Dan Rogers:
If someone can get you to import a management pack, and that management pack discovers classes and assigns them to another server, then the potiential exists that you have been duped into running a managment pack rule that you thought was safe.

It’s a subtle internal social engineering attack – so there is a warning on the enable proxy box and we took steps to make it not easy to skip that warning.

That said, nearly every management pack that is coming in the future will not function adequately or at all if proxy isn’t enabled. This is because management packs are becoming sophisticated in the way they project health states in products that inherently have multiple server roles. When a management pack creates a roll-up tree in a diagram view, it typically will need proxy enabled.

The decision to enable proxy comes with a great responsibility – that is to always be sure you TRUST with absolute certainty, the source you got that management pack from. Since the proxy-enabled attack is most likely to come from inside your company, you may want to put a process in place (like we have at MSFT) to design-check every management pack before it is ready to be used in production environments.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: