!!! Collector Debug Console Security !!!

Question

In doing some of the troubleshooting with LM, I realized that the debug console opens !POSH sessions as admin without asking or verifying.&nbsp; Anyone that can log into the console and gain access to the collector to run a debug has default admin access into our environment.&nbsp; The&nbsp;debug console can run Powershell commands on the collector server as if you had opened a powershell console as administrator locally.&nbsp; From there, I can easily push an elevated command anywhere using CredSSP delegation as a second hop credential option leveraging the credentials given to the collector.

mnagel · Answer

Oh it gets better :).&nbsp; We had an issue awhile back (still do) that could only be resolved via an internal debug command (update system.ips property) normally run in the collector debug context.&nbsp; This is entirely doable via the API.&nbsp; No MFA required, no IP restriction possible.&nbsp; Chew on that one for a bit...

matthew_dunham · Answer

Hi @Cole McDonald -

&nbsp;

The LogicMonitor Collector runs jobs using the permissions it has inherited from the Collector. Where the Collector is run as a privileged user so will the jobs that it's launched.

Regardless of which Collector permissions model you adopt, as a best practice we recommend using our role-based access controls to limit "Manage" access to your Collectors. You can do so by assigning individuals that don't need Collector Debug functionality the "manager" role rather than the "administrator" role. This allows you to effectively limit the scope of your end-users based on the principle of least privilege.

cole_mcdonald · Answer

Which we do... but from the collector itself, I'm required to explicitly run an elevated powershell session, even as a local admin with permissions to do so.&nbsp; Asking for an elevated shell should be reserved for specific cases of administration and should be easily auditable / alertable when they are done so.&nbsp; I live life wearing a tin-foil hat due to my jobs I've held in the past and the one I'm doing now.&nbsp; I don't control your servers, so I implicitly don't trust them (nothing against LM, just a security posture).&nbsp; As you're reaching into your customers' enterprise environments with the software, adding an escalation mechanism that would leverage the domain credentials and associated permissions to escalate sessions would be a welcome addition.&nbsp; That would then trigger events on the DC that are auditable and alertable for better security alerting.

cole_mcdonald · Answer

yikes!&nbsp; Sounds like there's a few holes that need to be plugged.&nbsp; Big product, there's bound to be some.&nbsp; Hopefully, these types of issues get pushed ahead of functionality since it's an attack vector into a customer's enviornment.

Forum Discussion

!!! Collector Debug Console Security !!!

4 Replies

Related Content

LogicMonitor Portal Security

Important Security Announcement

Collectors: Open Telemetry vs. LM Collector

Security Hardening of LM

LogicMonitor Security Best Practices

Recent Discussions

Dashboard Sharing – An Inline Framing Method

2021-12-15 US Office Hours

Live Training - Tuning Datapoints and Alerts - 15th JUNE 2022 - APAC

Live Training - Introduction to Dashboards - 18th MAY 2022 - APAC

2022-05-11- APAC Product Overview -Collectors, Resources/Groups, Dashboards