Restricting Package Access Credentials
The Symantec Management Platform (SMP) agent installed on managed endpoints and package servers uses credentials to retrieve packages. From a security best practice perspective, the privileges associated with the package credentials should be set to the minimum level required to access the packages while not allowing access to other network resources. This article provides best practices for reducing the privilege and permissions associated with the credentials used to access software packages. It explains the different levels of Symantec Management Platform credentials and then walks you through the process of limiting access to the credentials so that they cannot be used to access other network resources.
About Symantec Management Platform (SMP) credentials
The SMP lets you define three levels of credentials with varying degrees of privileges and permissions.
- The Application Identity account is set up during installation. It provides all the necessary and all-encompassing privileges for Notification server to run if no other credentials are configured. The Application Identity is the only account set up by default. The other two credentials will default to the Application Identity if they are not configured.
- The Agent Connectivity Credential (ACC) is used by the Package Server Agent to add file-based security to downloaded package files, if so configured. If the ACC is not set, then the agents will use the Application Identity (application credential) by default. At minimum, Symantec recommends that you specify different credentials for the ACC.
- Distribution Point Credential (DPC). This credential, if configured, is used by the Notification Server to connect to Software Delivery packages that have a UNC share as a source. Such packages are published by the Notification Server via a virtual directory that uses the DPC to connect to the specified UNC share.
Step 1: Create a unique domain/workgroup account
Before you restrict package access credentials within the Symantec Management Platform, you should limit the access level of the Active Directory domain account or Windows Workgroup local user account that functions as the Notification Server service account. How you do this depends on your specific setup. Symantec recommends that you create a unique set of credentials for access to package storage credentials on the Symantec Management platform. You should ensure that the account is a “least privilege access” account.