10. Enhancing the security of your WAPT setup - Console side¶
10.2. Displaying the Certificates trusted by the hosts in the WAPT Console ¶
In this tab, you can see the certificates that the host accepts to trust.
10.3. Configuring Access Control Lists ¶
Hint
The SuperAdmin user of WAPT is authenticated by a password stored in waptserver.ini
as a value of the wapt_password
attribute.
Others WAPT users may be local users htpasswd_path
) or AD account users (ldap_auth_server
/ ldap_auth_base_dn
).
ACLs define actions enabled for all types of users in the WAPT context.
Note
Default ACLs user level are defined by default_ldap_users_acls
in waptserver.ini
.
The default ACL for a new user is view
.
Attention
Security is define by the certificate deployed on clients, not by ACLs.
ACLs simply limit what actions the WAPT Server is allowed to relay from the WAPT Console to the WAPT Agents.
As of |date|, the WAPT Agents do not check ACL rights.
To configure ACLs in WAPT, go to
.Note
On first launch after the WAPT Server installation, only the SuperAdmin account is present in the list of users.
If the SuperAdmin account does not exist or does not have the admin right, then the account is recreated by restarting the WAPT Server service.
The SuperAdmin account is authenticated using the value of wapt_password
in the waptserver.ini
configuration file.
Two types of account are manageable by ACL, local and Active Directory.
10.3.1. Local user account¶
Local users are defined by a .htpasswd file.
10.3.1.1. WAPT Server configuration¶
For using local user accounts, you need create a file named waptusers.htpasswd
in the same folder on the WAPT Server containing the waptserver.ini
file.
touch /opt/wapt/conf/waptusers.htpasswd
chown wapt /opt/wapt/conf/waptusers.htpasswd
cd. > C:\wapt\conf\waptusers.htpasswd
On
waptserver.ini
addhtpasswd_path
settings.
htpasswd_path = password file location
Hint
Restart the WAPT Server service
10.3.1.2. Creating the user account¶
In WAPT Users rights window, click on New account.
It is possible to rename accounts by pressing F2 on the User column.
Save by clicking on Save account.
For setting a password, see below.
For setting rights, see the section on managing ACL rights.
If the local user has a password in waptusers.htpasswd
, then the username appears in bold and Local User is checked, else change the password for this user.
10.3.1.3. Changing the user password¶
To change the password for the selected account:
Do a
.
Enter the new password.
The local user appears in bold and the Local User is checked.
10.3.2. WAPT users set as Active Directory users¶
To manage WAPT users with Active Directory, you need to activate Active Directory authentication.
After a first successful login, the AD account will appear automatically in the list of WAPT users.
10.3.3. Blocking local user accounts¶
To unregister local users, do
.The user account will be blocked from managing anything in WAPT.
10.3.4. List of rights¶
Many rights and restrictions can be set for each user in the WAPT Console.
Right |
Description |
---|---|
Admin |
Grants the same rights as SuperAdmin, all rights are granted except local user. |
View |
Allows only view information on the WAPT Console. |
Register hosts |
Allows to use the Admin credentials to register manually a host with the WAPT Server. |
Unregister hosts |
Allows to remove a host from the WAPT Console. |
Edit hosts |
Allows to edit the host profile on the WAPT Console. |
Edit packages |
Allows to modify base packages on the WAPT Console. |
Edit groups |
Allows to modify group packages on the WAPT Console. |
Edit self-service |
Allows to modify self-service rules on the WAPT Console. |
WUA |
Allows to modify WUA / WSUS rules on the WAPT Console. |
Edit unit package |
Allows to modify unit packages on the WAPT Console. |
Edit profiles package |
Allows to modify profiles packages on the WAPT Console. |
Apply upgrades |
Allows to remotely apply upgrades on her perimeter of hosts, if host is on PENDING status. |
Remote hosts actions |
Allows to make use of the Windows Computer Management tool with the WAPT Console. |
Edit Reports |
Allows to create new or modify reporting queries. |
Run Reports |
Allows to run existing SQL reports. |
Local user |
Defines a Local User |
10.3.5. Managing rights¶
By default, the SuperAdmin is the CA certificate user.
For other user, it is possible to associate a certificate that has been generated from the WAPT PKI or from another CA.
These certificates may or may not be children of the WAPT Certificate Authority.
Attention
If certificates are not issued from the Certificate Authority:
Updated WAPT packages are available only to computers where certificates are deployed.
ACLs are valid only on the perimeter of the hosts where the certificates are deployed.
10.3.5.1. Associating a certificate to a user¶
Hint
By default no certificate is set for any user (including SuperAdmin).
The account in the WAPT Console appears in italic if no certificate is associated to the user.
To associate a certificate to an user, do
.Then, choose the certificate to associate to the user.
10.3.5.2. Adding / Removing rights¶
To add or remove rights, select the cell with
and check-it by pressing the spacebar.Hint
It is possible to do a multiple selection by using keyboard shortcuts Crtl+left-click and pressing the spacebar.
10.3.5.3. Restricting the perimeter of rights permitted to user¶
It is possible to associate a perimeter to a right given to a user.
10.3.5.3.1. View¶
Perimeter |
Description |
---|---|
Deny all |
Denies any view right (not checked). |
Allow on any perimeter |
Allows view right for all WAPT Agents. |
Allow specific perimeters |
Allows view right on the selected perimeter defined as a list of certificates. |
Allow where user certificate is deployed |
Allows view only on the perimeter where the certificate of the WAPT Administrator is deployed. |
10.3.5.3.2. Edit group packages¶
Hint
All group packages work on the same principle as described below.
Perimeter |
Description |
---|---|
Deny all packages |
Denies any edit right to any package (not checked). |
Allow any packages |
Allows edit right to all WAPT packages. |
Allow specific packages name |
Allows edit right for the WAPT packages selected in the list. |
10.3.5.4. Re-signing packages on the WAPT Server using the WAPT console¶
It is possible that a package was created by a WAPT user whose certificate is not recognized on certain machines. However, the package might still be suitable for those machines. In such cases, you can re-sign the package using the certificate of another WAPT user who has higher privileges within the network.
Go to WAPT Packages, identify your package and do right-click Resign packages.
Then, click on Resign packages, and wait the OK, you can close.
However, if this does not work the only way to perform the operation is to resign on the command line.