Power Advisor System Health – Secure Deployment Best Practices

Introduction

The Power Advisor System Health application assists in managing the health of large systems,
multiple sites or complex networks in a unified dashboard application. This document outlines how
to deploy and configure the application in a secure manner.

Client Deployment

The client deployment process is handled via a typical install wizard. During the information
gathering process, you are required to provide credentials to the client SQL database (PME). These
credentials need to be administrator level as database modifications need to occur as part of the
setup. These credentials are only used during installation and are not saved or reused elsewhere.

 
Server Deployment
 
The server deployment process is also handled via a typical install wizard. There are no specific steps
that are required to be noted from a security perspective during this process. We will cover all
security related aspects during the configuration phase.

1
Client Configuration

There are two ways to share the output from client processing, via standard file share or via email.

File Share Configuration

  
To use the file share option, you need to provide a file name and the share folder details. This is a
good option if the entire application is running on a local network so potentially sensitive
information does not have to leave that network.

Even if the network is in a protected environment its best practice to use a file share with the
minimum privileges required, which is as follows:

To allow client access: Grant read/write access to the user level being used to run the configuration
tool. If this is the local Administrator or a Power-User, then this user level needs to have the above
access to the share. This is to allow testing via the configuration tool and when configuration is saved
and scheduled it is scheduled under that user account.

To allow server access: The Power Advisor System Health Server service (Local System Account)
requires read/write permission.

The Encrypt Contents option should be set to ‘Yes’ so that the contents of the json files are
encrypted for an additional layer of protection. The only situation where this should be set to ‘No’ is
for legacy systems where the Server version does not support receiving encrypted content.

2
Email Configuration

To use the email option, access to an SMTP server to relay the message is required. The setup of an
SMTP relay server is out of the scope of this document – consult your IT group regarding the setup.

Configure this page with the SMTP and email details as provided with the following recommended
settings:

Use SSL: Yes – We only recommend using an SMTP server with SSL enabled
SMTP Password: The password of the SMTP user should be sufficiently complex;

The Encrypt Contents option should be set to ‘Yes’ so that the contents of the emails are encrypted
for an additional layer of protection. The only situation where this should be set to ‘No’ is for legacy
systems where the Server version does not support receiving encrypted content.

Note the SMTP server is for relaying purposes and a secure destination email account is also
required to be provided. Consult your IT provider regarding best practices for setting ap a secure
email server.

3
Server Configuration

Incoming Email Configuration

Setting Detail
Process Emails Enable or disable incoming email processing. Set this when diagnostics
data to Mission Control is not routed through emails
Process Only Secure Set to yes, this tells Mission Control to only accept emails from secure
Files Diagnostics emails that contain an embedded security key. The only use
case to set this to no is for legacy installations as any emails received are
processed.
Process Only Process Only Encrypted Files should be set to ‘Yes’ so that only
Encrypted Files encrypted emails are processed for an additional layer of protection. The
only situation where this should be set to ‘No’ is for legacy systems
where receiving information from legacy clients that do not support
encryption.
Mail Server The incoming mail server receiving the system diagnostics e-mails. Note
that the mail server should be accessible from the system running
Mission Control and must be an IMAP Server. Consult your IT provider
regarding best practices for setting ap a secure email server.

4
Share Folder Configuration

Setting Detail
Process Drop Location Enable or disable the processing of a local or share folder for diagnostics.
Process Only Secure Set to yes, this tells Mission Control to only accept files from secure
Files Diagnostics clients that contain an embedded security key. The only use
case to set this to no is for legacy installations as any files received are
processed.
Drop Folder Location of diagnostics files. This could be local directory or network
location. The Power Advisor System Health Server service (Local System
Account) requires read/write permission.

5
Server Database Authentication

Ensure Authentication is enabled by setting the Authentication toggle to Yes, enter a complex
password and save the settings. The underlying user account is intentionally hidden for additional
security.

6
Power Advisor System Health Web Portal User Authentication

For a Server install, a Windows user group ‘MissionControlUsers’ is created at install time and local
Administrators are assigned access only. Any local Windows Administrator user will now be able to
login to Mission Control using their Windows credentials. Only add trusted users as required to this
group to allow them access to the web portal.

Power Advisor System Health Web Portal Encryption

By default, when the web portal is installed, a website is created with a default virtual directory.
Both http (port 80) as well as https (port 443) are enabled. To maximise security, it is recommended
that http is disabled and a Server Certificate is obtained and installed to ensure the identity of the
web portal.