Credentials were implemented to solve a security weakness present in many network monitoring and management solutions. Typically, network monitoring solutions run all code, perform all monitoring, alerting and recovery actions, and perform any management capabilities using the account context the process or service is installed under. Network monitoring solutions support one account, which must be a network Administrator-level account to access resources throughout the network. This model is contrary to good security practices, as it potentially exposes all the resources accessed by the Administrator account.
ipMonitor resolves this problem using Credentials Manager. Credentials Manager allows the ipMonitor Service to run under the context of an account with the least privileges, and then impersonate accounts with elevated permissions when required by monitors, alerts and features accessing Windows file system objects or services through the network.
Using Credentials Manager, you can tailor the credentials to the exact authentication credentials required by the targeted resource. You can reuse the credential to access several target resources. The Credentials Wizard automatically categorizes the credentials for reuse. You can limit the credential to the administrator who created the credential, or other administrators can be permitted to use it.
You can apply user restrictions to individual credentials. A credential can be:
- Used over SSL
- Used with Digest Authentication Schemes
- Used with Windows NT LAN Manager (NTLM) authentication schemes
- Used with Windows Impersonation to start an external process
- Used with ActiveX Data Objects (ADO)
- Used to encrypt data
- Transmitted in clear text
If you decide not to use SSL to log in to ipMonitor, the Credentials Manager will allow only limited viewing of credentials. It will not allow configuration or management, and will not allow account-based information to be visible or accessible.
ipMonitor maintains an internal data hive, which it uses to store all sensitive data. RSA 512/1024 bit encryption is applied to the hive. Usage restrictions and display categories can be changed over HTTP. However, you cannot modify the Account, Password and Secret (for Radius) fields.