All,
We're running LANDesk v8.8 and 8.8 SP1 across a series of cores and we've discovered the ability to perform at least two tasks that have serious security consequences.
1. Shutdown privilege
It appears if any (admin or non-admin) LANDesk user logs into the 32bit console and can see a computer they can shut this computer down. Even if you have removed the Remote Control rights - if you can see the machine in your scope you have the Shutdown and Reboot option available when you right click a machine.
We have created an agent that removes all modules (Remote Control, Custom Forms, Software Distribution & Profile Migration) leaving inventory only and deployed this to a server. We then had a user who was not an admin over the server, but could see the server in their scope successfully shut the server down. In their permissions they had Software Dist, Patch Mgmt and Remote Control rights - but since these options had been removed from the agent how is it possible they can perform such a significant task as being able to shutdown a server?
We have a number of cases where we want to grant some individuals the ability to query inventory information for all machines in a defined scope, but if granting someone the ability to 'see' a machine in LANDesk also grants them the ability to shut it down then this is a serious security risk.
Is it possible to disable this feature? Is it maybe a permission that is set somewhere that we haven't noticed? Is this by design and if so why? I can see the point of someone requiring the ability to perform this function but it shouldn't be available carte blanche to every single person who has visibility over the server!
I'm aware that I can scope-out machines to remove rights to stop people doing this, but we have a requirement for some people to see all machines to track HW and SW inventory; therefore they need to see all machines.
Why present the option to remove the Remote Control module and the Reboot option from within here, when it's possible to do this take with no user interaction/confirmation direct from the console?
I need to know if this is a bug or feature or if anyone else has experienced this as in my opinion it is a major security problem.
2. Manage Local Users and Groups
In a similar scenario to the Shutdown privilege it is possible if a user is a LANDesk admin, regardless of their rights over a machine to create a local user on a machine, make this user an admin and then use it to log on to that server. This only applies to LANDesk admins and it could be argued that if a person is a LANDesk admin they are 'trusted' or should have the ability to perform this task.
This isn't always the case and we've specifically designed an agent for servers removing the ability to patch, remote control, etc as we just want inventory over a server. It appears that despite locking away the rights to stop deployment and remote control it is possible for a LANDesk admin to create themselves an account and use it to log onto a server with admin rights, even though they should not have admin rights over this server.
We have a couple of scenarios where we have LANDesk admins but do not want them to perform this task as it could lead to a security breach. Why should a LANDesk admin be able to perform this role and what benefit does it bring? If a user is already an admin over that machine (or a domain admin) they can create user accounts, but using the Local System privileges of LANDesk to create admin user accounts (albeit local accounts) could be perceived as a back door into the system.
We want inventory for all machines and the ability to track assets using LANDesk, but we don't want all these elevated rights that you seem to receive when you drop an agent on a machine.
I need to know again if this is a bug or feature and how it's possible to remove these options without making the installation non-standard or non-supported.
Andy