To maximize ActiveEfficiency server security, you can lock-down access to the its Website and encrypt sensitive data in the Scout configuration files. The ActiveEfficiency Website supports Windows authentication. By default, this is disabled and it uses anonymous authentication.

To enable Windows authentication:

  1. Run the IIS Manager.
  2. Navigate to the ActiveEfficiency website under the Sites > Default Web Site node.
    Locating the ActiveEfficiency Website in IIS Manager
  3. Click Authentication in the right-hand pane.
  4. In the Authentication page, disable Anonymous Authentication and enable Windows Authentication.
    Enabling Windows authentication in the IIS Manager
On this page:

Configuring authentication

There are two appSettings keys in c:\Program Files (x86)\1E\ActiveEfficiency\Web\WebService\web.config that determine the authorized users and machines:

<add key="AuthorisedUsers" value="Everyone/>
    <add key="AuthorisedMachines" value="Everyone"/>

By default, these are configured to allow access to any user or machine principal in the Everyone group. This means that everyone/thing on the domain i.e. Domain\Everyone will have access. The format of the values for these two keys is semi-colon separated list of any number of groups or principal names. For example, you might have a domain group for users and another for machines that are allowed to access the website:

<add key="AuthorisedUsers" value="domain\AESvr Users;domain\specific.user/>
    <add key="AuthorisedMachines" value="domain\AESvr Machines;domain\specificmachine$"/>

When a client contacts the ActiveEfficiency website, once the client credentials have been verified the principal information will be passed on to the ActiveEfficiency website, to be verified against the authorized users and machines details in the ActiveEfficiency web.config file.

Some client web technologies, such as MSXML::IXMLHTTPRequest and WinHttp, will display pop-up dialogs on the client if the authentication fails.  If you have developed any applications that use the ActiveEfficiency Web API you will need to configure those to provide Windows Authentication credentials, otherwise users of the application may potentially see unexplained dialogs requesting credentials.

You should note the following:

  • A machine principal authentication token is presented if and only if the user principal running the service is not allowed to exist outside the context of the machine.
  • "NT Authority\Network Service", "NT Authority\Local Service" and "NT Authority\LocalSystem" are all local users, so when any network communication takes place then it is in the guise of the machine principal.
  • If any other Domain based user is running the service, then that user principal will be presented for authentication purposes.

Security groups

When a Security group is used to authorize a specific principal in either AuthorisedUsers or AuthorisedMachines you will need to take the following into account:

  • The Principal must be a member of the group to be allowed access and removed from the group to deny access.
  • If the Principal is a user, then that user must be added to / removed from the group whilst they are logged out. If the user is logged in, then they will have to log-out and log-in to have the group appear/be removed in the token they present to the web service.
  • If the Principal is a machine, then the machine must be added to or removed (as required) from the group whilst the machine is not on the domain (ie turned off or unjoined from the domain). Otherwise, the machine will have to reboot or leave and re-join the domain in order to pick up the token that includes or excludes the group.

Encrypting sensitive strings in the ActiveEfficiency Scout configuration files

When configuring ActiveEfficiency, it is sometimes necessary to add usernames and passwords to the configuration files to enable access to servers. The connection string for accessing ConfigMgr is likewise stored as plain text in a configuration file. To maximize security 1E recommends that such strings are encrypted to prevent unwanted access to systems. To enable this ActiveEfficiency server includes an encryption utility that can used to generate encrypted strings that can be used in the configuration files.

The general process for using encrypted strings is as follows:

  1. Run the encryption utility providing the string you want to encrypt.
  2. Take the output of the encryption utility and add to the configuration file.
  3. Change the attribute in the configuration file that will be using the encrypted string by appending the text Encrypted to the attribute name.

Running the encryption utility

The encryption utility is called N1E.ActiveEfficiency.ApiCrypt.exe and is installed by default, using the ActiveEfficiency Scout installer, into the following directory:

C:\Program Files(x86)\1E\ActiveEfficiency\Scout\EncrypterUtility

The encryption utility can be used to both encrypt and decrypt text strings, so access to the utility must be restricted.

The following command-line arguments are valid for the encryption utility:

Command-line argumentDescription
-e

Encrypts the supplied text and outputs the encrypted string to standard output.

Here are some examples, to encrypt the text textToEncrypt to the screen:

N1E.ActiveEfficiency.ApiCrypt.exe -e textToEncrypt

When the text contains spaces quotes are required:

N1E.ActiveEfficiency.ApiCrypt.exe -e "text To Encrypt"

Redirection operators are supported, the following takes the text from the file c:\input.txt and encrypts it to the screen:

N1E.ActiveEfficiency.ApiCrypt.exe -e < c:\input.txt

The following takes the text from the file c:\input.txt and encrypts it to the file output.txt in the local directory:

N1E.ActiveEfficiency.ApiCrypt.exe -e < c:\input.txt > output.txt
-d

Decrypts the supplied text and outputs the decrypted string to standard output.

Here is an example, to decrypt an encrypted string (for display purposes the encrypted input string is shown truncated):

N1E.ActiveEfficiency.ApiCrypt.exe -d AQAAANCMnd8BFdERjHoAwE...

As with the encryption -e argument redirection operators are supported.

The encrypted strings are unique to the machine where the encryption is performed and cannot be decrypted on other machines. If you need to change the server where the scout components reside you must first decrypt any encrypted strings from the old server, and then encrypt the strings on the new server and update the configuration file with the new encrypted strings.

Add the encrypted string to the configuration file and change the name of the attribute

The configuration files listed in the following table reside, by default, below the  C:\Program Files (x86)\1E\ActiveEfficiency\Scout\ directory.

ComponentConfiguration File
Scout in ConfigMgr mode

Scout.exe.config

When running the scout in ConfigMgr mode you can encrypt the entire ConfigMgr connection string. Initially the entry will contain the values set in the installer. The following example shows the connection string for the ACMEPRDSQL04 server where the database is cm_cm1:

<appSettings>
 
	...
 
	<add key="ConfigMgr:ConnectionString" value="Server=ACMEPRDSQL04;Database=cm_cm1;Trusted_Connection=True"/>
 
	...
 
</appSettings>

To encrypt this you will need to run the encryption utility on the value, that is all the quoted text after the value= parameter, as shown in the following example:

N1E.ActiveEfficiency.ApiCrypt.exe  -e "Server=ACMEPRDSQL04;Database=cm_cm1;Trusted_Connection=True"

You then take the result of running the encryption utility and modify the ConfigMgr:ConnectionString key to read ConfigMgr:ConnectionStringEncrypted and change the value to the encrypted string, as shown in the following example (for display purposes the encrypted string is shown truncated):

<appSettings>

	...

	<add key="ConfigMgr:ConnectionStringEncrypted" value=AQAANCMnd8BFdER... />
 
	...
 
</appSettings>
Scout in Server mode when configuring Linux servers

Config\Credentials.config

When adding credentials for Linux servers you can encrypt the passwords used to access the servers.

The following example shows the connection string for the ACMEPRDSQL04 server where the database is cm_cm1:

<sshCredentials>
 
	...
 
	<sshCredential matchingDevices="*" username="root" password="VisiblePassword" />
 
	...
 
</sshCredentials>

To encrypt this you will need to run the encryption utility on the password value, that is all the quoted text after the password= parameter, as shown in the following example:

N1E.ActiveEfficiency.ApiCrypt.exe  -e "VisiblePassword"

You then take the result of running the encryption utility and modify the sshCredential   password parameter name to passwordencrypted and then set it to equal the encrypted string, as shown in the following example (for display purposes the encrypted string is shown truncated):

<sshCredentials>

	...

	<sshCredential matchingDevices="*" username="root" passwordencrypted="KJHDDFkkdjfh29..." />
 
	...
 
</sshCredentials>


Scout in iQSonar mode

Scout.exe.config

When running the scout in iQSonar mode you can encrypt the entire iQSonar connection string. Initially the entry will contain the values set in the installer. The following example shows the connection string for the ACMEPRDSQL04 server where the database is iq_db1:

<appSettings>
 
	...
 
	<add key="iQSonar:ConnectionString" value="Server=ACMEPRDSQL04;Database=iq_db1;Trusted_Connection=True"/>
 
	...
 
</appSettings>

To encrypt this you will need to run the encryption utility on the value, that is all the quoted text after the value= parameter.

N1E.ActiveEfficiency.ApiCrypt.exe  -e "Server=ACMEPRDSQL04;Database=iq_db1;Trusted_Connection=True"

You then take the result of running the encryption utility and modify the iQSonar:ConnectionString key to read iQSonar:ConnectionStringEncrypted and change the value to the encrypted string, as shown in the following example (for display purposes the encrypted string is shown truncated):

<appSettings>

	...

	<add key="iQSonar:ConnectionStringEncrypted" value="ZJFPQCHad72DgQX..." />
 
	...
 
</appSettings>
Oracle waste

 

The Oracle waste feature relies on certain external components which require installation by 1E Professional Services. If you would like to implement this feature please contact 1E for more details.

Config\OracleCredentials.config

When running the scout in Oracle waste mode you can encrypt the Oracle account password string in the Oracle credentials config file. The following example shows the password for the Oracle account set to VisiblePassword:

<installations>
 
	...

	<installation key="acmeuk1337orcl" hostname="acmeuk1337" port="1521" service ="orcl.1e.local" user="sys" password="VisiblePassword" privilege="SYSDBA"/>
 
	...

</installations>

  To encrypt the password you will need to run the encryption utility on the currently set visible password, that is all the quoted text after the password= parameter.

N1E.ActiveEfficiency.ApiCrypt.exe -e "VisiblePassword"

You then take the result of running the encryption utility and modify the installation password parameter to read passwordEncrypted and change the value to the encrypted password string, as shown in the following example (for display purposes the encrypted string is shown truncated):

<installations>

	...

	<installation key="acmeuk1337orcl" hostname="acmeuk1337" port="1521" service ="orcl.1e.local" user="sys" passwordEncrypted="AQAAANCMnd8B..." privilege="SYSDBA"/>

	...

</installations>


VMWareInventory

VmwareInventoryScout\N1E.ActiveEfficiency.VMWareInventory.exe.config

When running the scout in VMWare inventory mode you can encrypt the VMWare account password string in the VMWare Inventory Scout config file. The following example shows the password for the VMWare account set to VisiblePassword:

<appSettings>
 
	...

	<add key="Vmware:Password" value="VisiblePassword" />
 
	...

</appSettings>

To encrypt the password you will need to get an encryption string for the currently set visible password, that is all the quoted text after the password= parameter.

N1E.ActiveEfficiency.ApiCrypt.exe -e "VisiblePassword"

You then take the result of running the encryption utility and modify the Password parameter to read PasswordEncrypted and change the value to the encrypted password string, as shown in the following example (for display purposes the encrypted string is shown truncated):

<installations>

	...

	<add key="Vmware:PasswordEncrypted" value="KJHnEOO983..." />

	...

</installations>