Securing the ActivID Appliance System

Securing LDAP Directories

General Considerations

ActivID Appliance can leverage your corporate directory. For example, user information includes email addresses and user names that are inserted on certificates that are placed on smart cards. The security of your corporate directory depends upon the information being stored securely based organizational requirements.

Related Security Considerations

ActivID Appliance only reads information in the corporate LDAP directory. To perform such tasks, ActivID Appliance requires read access to the LDAP Directory and to the Certificate Authority (CA). This access must be carefully restricted to ensure that this user account cannot be used to compromise the ActivID Appliance environment.

The following recommendations apply to the LDAP configuration for ActivID Appliance:

  • Use LDAPS with a client certificate to authenticate the ActivID Appliance LDAP account to LDAP. If a client certificate to authenticate ActivID Appliance to LDAP is not a feasible option, then implement a password change procedure for this LDAP account. The procedure should be executed regularly in accordance with your internal policies.

    • The reason for this password change recommendation is because the user ID and password of the user that connects to the LDAP directory is configured in the Console. The password is encrypted and stored in the ActivID Appliance database.

    Note: If the password expires and is not changed within ActivID Appliance, then it will not function correctly.
  • Create the dedicated account with only the access it requires. This account typically requires only write access to the smart card serial number attribute, and read access to the branches from which it queries the user attributes.
  • Use the ActivID Management Console to configure ActivID Appliance to use LDAPS for any communication with the LDAP server.
    • Note: This recommendation requires that the LDAP server be configured with a server certificate that is trusted by the ActivID Appliance system.

Securing IPMI

It is strongly recommended that you regularly update the Supermicro firmware to fix the security and functional issues. Monitor the Supermicro support page for updates.

Furthermore, it is strongly recommended segregating the network used for IPMI.

Securing Remote Servers

It is strongly recommended that you use the SFTP protocol instead of FTP for the connection between the ActivID Appliance and remote servers (for example, the remote server used to store backups and export report data).

In addition, it is recommended that you enable password protection for the exported report data.

Securing Privileged Access

It is strongly recommended that you limit (through firewall rules, and/or network configuration) the inbound access to System Administration interfaces (that is, the ActivID Console and SSH entry points, on TCP ports 1005 and 40 respectively) to internal administration networks.

In addition, it is strongly recommended that you change the password for the root account after completing the ActivID Appliance initial setup, even though it cannot be used to log on from outside the appliance. This account should only be used for emergency access (also known as “break glass” processes).