Securing the Agents

Agents use an encrypted communication channel with the Communication Processes by default, which means that they only execute fully authenticated commands sent from the Automation Engine. This topics describes how you can enhance the Agent security by denying the right to execute jobs to specific users and by preventing the anonymous execution of jobs. It also provides some useful recommendations.

This page includes the following:

Connection to Agents

For security reasons, newly installed Agents do not have any rights, they cannot execute tasks and are not available for selection when defining objects. To log on to the Automation Engine for the first time, they use an Agent object that is available in the HOST folder of Client 0. To be able to start processing commands, they must be assigned to Clients. For more information, see Agent Authentication.

Denying the Execution of Jobs for Specific Users

Sometimes, an Agent must be run in the context of a different user. In these cases, it must be able to execute scripts in that user's context. For this purpose, the Agent needs a specific Login object that you must define in your AE system. This Login object contains the credentials to allow jobs to run as a certain user on the Agent's machine.

In some cases you may want to restrict user permissions to certain tasks or executions (for example root on the UNIX Agent).
In the Agent INI file you can specify the users, which are not allowed to execute Jobs or File Transfers. This applies even in case a Login object has been specified containing that user's credentials.

Configure the INI files of the following Agents:

Preventing the Anonymous Executions of Jobs

By default you have to specify a Login object with valid user credentials for executing Job objects. The variable UC_HOSTCHAR_DEFAULT contains the following three keys to determine whether those credential must be used or not:

  • ANONYMOUS_FT (for File Transfers)
  • ANONYMOUS_JOB (for Jobs)
  • ANONYMOUS_FE (for FILE Events)

By default, they are set to "N", which prevents the anonymous execution of File Transfers, Jobs and FILE Events.

For more information, see Login (LOGIN) and UC_HOSTCHAR_DEFAULT - Host Characteristics.

Recommendations

  • Physically secure the hardware.
  • Secure running services that the operating system / Agent provides.
  • Use a file system that can prevent unauthorized access.
  • Set file access permissions for data stored on disk.
  • Limit the number of possible user accounts on the Agent.
  • Use strong passwords for accounts.
  • Consider using additional software to secure your operating system.
  • Apply operating system patch sets and security patches.
  • Install the latest maintenance packs, minor releases, and critical patch updates.

See also:

Security and System Hardening