<< Click to Display Table of Contents >> Navigation: Technical Resources > Security Guide > Security Introduction |
ELM is a client/server application that automates a variety of the administrative functions required for monitoring and managing Windows-based servers and TCP/IP systems and devices.
Since ELM is intended for system and network administrators, the default out-of-box security configuration is designed to allow only accounts with administrative rights to add, remove or change ELM settings. ELM has the following main components:
•ELM Server
•ELM Server Database
•Agents
•ELM Console
•ELM Advisor
Each of the components can be secured at a granular level, enabling administrators to delegate permissions to individual users, groups, or class of user.
There are multiple layers of security that surround an ELM Server:
Setup / Installation - To install an ELM Server, you must be logged into an account with administrative rights on the computer. Without these rights, setup will not be able to create the ELM Server service, write the appropriate registry entries, register DCOM classes, or grant log on as a service rights to the ELM Server service account.
Server Agents - To install a Service Agent on a computer, you must be logged on an account with administrative rights on the Agent computer. Without those rights, you will not be allowed to copy the Agent binaries to the target system, create the ELM Agent service, or grant log on as a service rights to the Agent service account. When you install a Service Agent through the ELM Console, all files are copied from the ELM Console computer to the Agent computer. If your currently logged on account does not have administrative rights on the Agent computer, a Connect As dialog will appear, allowing you to specify alternate credentials (e.g., a local administrator username and password).
Management Console -
Communication between the ELM Server and the ELM Console or ELM Advisor is done with Distributed COM (DCOM). The ELM Server service requires DCOM Allow Access permissions to the ELM Console and ELM Advisor. In turn, users running the ELM Console or ELM Advisor require DCOM Allow Launch permissions to the ELM Server.
ELM uses integrated Windows Security (NTLM or Kerberos depending on the Server and Agent OS) for authenticating users. Some of the functions won't succeed (such as killing a task or managing services) unless you have administrative rights on the computer being monitored. ELM supports object and item-level security through the ELM Console. This means that you can apply Windows Access Control Lists (ACLs) to objects in your ELM hierarchy.
Data Encryption - ELM incorporates proprietary data encryption. All data sent between the following components is encrypted using this mechanism:
•Communication between a Service Agent and an ELM Server.
•Communication between two ELM Servers (via the Forward Event Notification Method)
Data sent between the Server and its database, the Server and the Management Console, the Server and Virtual Agents, and between the Server and IP Agents is not natively encrypted.
Note
If desired, you may configure additional encryption. Data between the Server and the Console can be encrypted by setting packet-level authentication via the Windows DCOM Configuration Utility (DCOMCNFG), also known as the Component Services snap-in. Refer to this utility's help file for instructions on configuring DCOM encryption. Because this additional encryption adds substantial overhead to the system, we recommend against using DCOM packet encryption.
Integrated Security - ELM integrates with Windows security to secure objects and containers in the ELM configuration. Windows Security access control lists are checked when users use the MMC Management Console, or the ELM COM interfaces. You may assign or explicitly deny the following types of access to users and groups:
•Read Only
•Read, Write, Delete
•Full Control
The default security settings for all objects and items are:
•Administrators - Full Control
•Everyone - Read Only
Integrated Auditing - ELM supports auditing of access and modification to ELM Server objects. This enables administrators to audit configuration changes to ELM Server objects.