Following sections provide information about the security considerations before installing Change Guardian.
The administrator should close all unnecessary ports. For more information, see Understanding Ports Used.
Service port listens preferably only for local connections, and does not allow remote connections.
Files are installed with least privileges so that the least number of users can read the files.
Reports against the database are run as a user that only has SELECT permissions on the database.
All web interfaces require HTTPS protocol.
All communication over the network uses SSL by default and is configured to require authentication.
User account passwords are encrypted by default when they are stored on the file system or in the database.
The appliance has undergone the following hardening:
Only the minimally required packages are installed.
The firewall is enabled by default and all unnecessary ports are closed in the firewall configuration.
Change Guardian is automatically configured to monitor the local operating systems syslog messages for audit purposes.
The TLS 1.0 communication protocol has known vulnerabilities. You must use TLS 1.1 or later for communication.
TLS 1.0 is disabled by default in new installations of the Change Guardian server, agents, and Policy Editor components to improve security posture and to prevent known vulnerabilities.