A.05.80 HP Insight Remote Support Advanced and Remote Device Access Security Overview (October 2012)
Security Overview
Chapter 2: HP Insight Remote Support Advanced
in the Microsoft® Windows® domain. Any account that cannot authenticate against the operating
system prevents signing into the HP SIM and Insight RSA using that account.
Note: A user, who is already signed into HP Systems Insight Manager is not re-authenticated
against the operating system until the next sign in attempt and continues to remain signed into HP
Systems Insight Manager, retaining all rights and privileges therein, until signing out of HP
Systems Insight Manager.
Important: If creating operating system accounts exclusively for HP Systems Insight Manager
accounts, give users the most limited set of operating system privileges necessary to accomplish
the required function. Any root or administrator accounts should be properly guarded. Configure all
password restrictions, lock-out policies, and user profiles in the operating system.
l File system
Access to the file system should be restricted to protect the object code of HP Insight Remote Support
Advanced. Inadvertent modifications to the object code can adversely affect the operation of Insight
RSA. Malicious modification can allow for covert attacks, such as capturing sign in credentials or
modifying commands to managed systems. Read-level access to the file system should also be
controlled to protect sensitive data such as private keys and passwords, which are stored in a
recoverable format on the file system. The Insight Remote Support Advanced installation wizard sets
appropriate restrictions on the application files and directories. These restrictions should not be
changed because this could adversely impact the operation of Insight RSA or allow unintended access
to the files.
l Signed applet
Previous versions of HP Systems Insight Manager use a Java plug-in that may additionally display a
warning about trusting a signed applet. Those previous versions of HP Systems Insight Manager use
an applet signed by Hewlett-Packard Company, whose certificate is signed by VeriSign.
Data Collection Scripts
If creating operating system accounts exclusively for HP Systems Insight Manager accounts, give users
the most limited set of operating system privileges necessary to accomplish the required function. Any
root or administrator accounts should be properly guarded. Configure all password restrictions, lock-out
policies, and user profiles, in the operating system.
Background Processes and Daemons
On Windows, HP Systems Insight Manager and Insight Remote Support Advanced are installed and run
as a Windows service. By default, they run using the administrator account used during product
installation. The HP-UX Advanced Configuration Collector does not run as a daemon on HP-UX systems,
but instead executes a series of collection commands with restricted root access when invoked via the
HP System Management Homepage during data collection periods.
Security Auditing
The HP Systems Insight Manager and Insight Remote Support Advanced security audit logs contain
entries for important system activities, such as executed tasks, authorization modifications, and user sign
HP Insight Remote Support Advanced and Remote Device Access (A.05.80)Page 35 of 97