SecureState Blog

Read SecureState's award winning blog.

Defensive Readiness Program

Web management consoles have been an administrator’s friend for quite some time. However, they have been an attacker’s best friend since conception. Management consoles often have the hardware primarily integrated into servers and devices to make the administration and troubleshooting of that equipment much easier. As these consoles are deployed into our environment, it is frequently found that they are forgotten about: out of sight out of mind. We leave them off of our patch management programs, even though they are quite frequently installed in the environment with default credentials. Attackers have built word lists based on these default usernames and passwords that are publicly available by the manufacture configuration guides. Due to the fact that administrators need this information when they configure the equipment, the onus to change the credentials falls on the organization.

The love-hate battle begins between our administrators, the attackers, and the inventory of web management consoles deployed throughout our environments. The question has been raised: what can we do to protect ourselves? We need to treat these web management consoles like an independent system. Having a server that runs Windows 2012 and has a console needs to be treated as two independent systems. Before we deploy this complete system, we should have a process in place to check the consoles for the changing of default credentials and console version updates. Once deployed, we need to include both systems into our patch management programs and hardening standard. This is the bare minimum needed, but we can protect these consoles even further.

Consider placing these consoles into a management network that is built independent of the core infrastructure of the organization. Considering the purpose and use of these consoles, the hardware does not need to be incredibility powerful. We can set up a basic infrastructure, then when traversing multiple physical locations, the use of virtual routing within an encrypted point to point tunnel. This allows us to still transverse the conventional infrastructure, while allowing us the flexibility to protect the infrastructure of the management console. This is sometimes referred to as a pipe within a pipe.

Lastly, protect access to these systems by the use of a “jump-box” and Two-Factor authentication. This allows a single point of access into the management network, which is controlled through secure authentication.

This access control methodology and network topology, in combination with those two key elements and having the systems treated as individual items within our patch management program, will develop not only a fundamentally sound solution, but will surround an extremely vulnerable, but desirable management interface with multiple layers of protection. This ultimately provides us additional opportunities to detect and stop the attackers.