We are all trying to do security right. Plugging all possible holes, but one of the biggest holes in our environment is the ability to logon to ZCC without using Multi-Factor auth.
If one of the admin credentials get compromised and they have ZCC rights, you would instantly have control over our complete environment, thousands of machines and servers.
Everybody is implementing some strong form of authentication to improve security.
We have also implemented MFA (2FA) on almost everything, but not on ZCC....
The implementation could best be based on SAML or RADIUS or even both.
If we can do the ZCC/ZMAN authentication with SAML we would be able to link it to our current SSO solution that would force MFA on logon.
Or if SAML integration is difficult because of the ZMAN command compatibilities and other entry points, a RADIUS configuration which for example would allow the OTP to be entered as 6 chars after the password would work for us too. At least you have it much more secured that way.
Also the ability to enable or disable strong authentication MFA could be per user, group or role. This would allows you to keep using a special account for zman scripts where needed.
by: Rene A. | over a year ago | ZENworks Control Center
Comments
Because almost do anything for these workstations even managed servers....so the ZCC Console indeed need add high level for logon...