Loading...

Knowledge Center


Recommendations for download credentials when using UNC shares as software repositories in ePolicy Orchestrator
Technical Articles ID:   KB70999
Last Modified:  3/2/2016
Rated:


Environment

McAfee Agent (MA) 5.x, 4.x
McAfee ePolicy Orchestrator (ePO) 5.x
McAfee VirusScan Enterprise (VSE) 8.x

Summary

IMPORTANT: This article applies only to customers who utilize Universal Naming Convention (UNC) shares as software repositories in ePO. Those who do not use this feature are not affected by this notice.

When Intel Security products (such as VirusScan Enterprise) use ePO as the update mechanism, McAfee Agent allows the ability to update from multiple update locations or repository types, including UNC repositories.
 
Repositories are used for distributing bulk software updates. These are not generally considered sensitive information, and are typically generally available to anyone. Other activities with sensitive information, such as policy updates, are handled using another mechanism within ePO. It is important to ensure that the UNC sharing system is correctly configured. If the UNC share is incorrectly set up, an attacker could potentially leverage the UNC share account to gain further access to a network. If the share is correctly set up, there is no additional risk. These details mirror those in the product documentation; however, because a misconfiguration could put a customer site at risk, it is worth restating in a Knowledge Base article.

Solution

Proper use of UNC shares as repositories
UNC shares utilize the Microsoft SMB protocol to create a shared drive. This protocol requires that you specify a username and password that is allowed to access the share. Because both a username and password are required, the details for this must be pushed down to each agent to enable that agent to access the share. Specifying download credentials within ePO is necessary for the update process on the client computer to download the required update files located on a UNC share. To ensure that this is done safely, Intel Security has documented the following key points to remember if you choose to use this feature. 
  1. Correctly configure the account – The first step towards safety is to use an account configured correctly for this purpose. Several account options affect the security of the system.

    1. Create the account locally – Create the account on the file share, rather than a domain. Locally created accounts do not grant any rights on other computers in the domain. Remember that if your file share is your domain controller, the account is by definition in the domain.  
    2. Use a specific account – Create an account specifically for sharing repository data. Do not share this account with multiple functions.
    3. Make the account low privilege – Do not add this account to any groups it does not need. This includes groups such as "Administrators" or "Users".
    4. Disable extraneous privileges – This account does not need to log into a server at all. It simply is a placeholder to get to the files. Examine the privileges this account has and disable all that are appropriate.
    5. Use a strong password – Use a password with 8-12 characters using multiple character attributes (lowercase and uppercase letters, symbols, and numbers). Consider using a random password generator to ensure a complex password.
       
  2. Correctly configure the share – The second step in ensuring UNC shares are used safely is to ensure that the share itself is correctly configured. 

    1. Grant your account read-only rights – When you set up your share, ensure that the account you created above has read-only rights to the directory and to the share permissions. We suggest not granting any remote writing to the share (even for administrators or other accounts). Ideally the only account allowed access of any kind should be the account created above.
    2. Use an alternative placement mechanism – Log into the server using other methods (another share, RDP, locally, and so on) to write to your repository. Do not mix your repository for reading with writing.
    3. Use a share not on your domain controller – Create a share off your domain controller because a local user on a domain controller is a domain user.
     
  3. Additional Recommendations:
     
    1. Firewall your share – Always block traffic not required for the purposes you need. Consider blocking both outgoing and incoming traffic. You can use either a software firewall on the server, or a hardware firewall on the network.
    2. Enable File Auditing – Always enable security audit logs to track access to your network shares. This will detail who accesses the share, when, and what they did with the access.
    3. Change your passwords – It is a good idea to change your password periodically. Ensure the new password is strong. Remember to update your ePO configuration with the new password after it changes.
    4. Disable the account and share if it is no longer in use – If you move to using another mechanism for a repository, remember to disable or delete the account, and close and remove the share.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.