Security Protected Settings
There are many settings for PA File Sight which are available under:
HKEY_LOCAL_MACHINE\software\PAFileSight
There are a few settings that are important enough that some customers don't even want administrators to be able to make changes to them. For these cases,
there are a few settings in:
HKEY_LOCAL_MACHINE\software\PAFileSight\Protected
A separate registry key is used so you can set additional access protections using the operating system to control who can change these settings. Be sure that the PA File Sight service can read these settings.
Settings
All settings below can be set to 1 or 0.
- AllowExpiredHTTPSCertsInClient
- Any time an internal HTTPS request is made (Console to the Central Server, Satellite to the Central Server, Web Page monitor, etc) a decision has to be made whether
to accept a connection to an endpoint that has an expired SSL/TLS certificate. Even if it is expired, the connection is still encrypted. Setting this to 1 allows connections
using expired certificates, and 0 blocks those connections. Defaults to 0.
- DisableBlankLocalLogin
- When the Console on the Central Monitoring Service is run, if the user is a local administrator they are able to login without a username/password. To disable this,
set this value to 1. See Remote Users for defining logins. Defaults to 0.
- DisablePasswordExport
- When exporting configuration data, sometimes passwords can be exported as well. Setting this value to 1 will disable exporting passwords. Defaults to 0.
- EnableScriptCredentialAccess_Custom
- If this value is set to 1, the Execute Script monitor or action can request configured Custom credentials for arbitrary devices via the $mon.GetCredentials or $act.GetCredentials function. The functions will fail if this value is set to 0.
This can be disabled by setting this value to 0, or enabled by setting to 1. Defaults to 0.
Because of the concern of scripts exfiltrating credentials, we recommend locking monitors or actions that use the GetCredentials function.
- EnableScriptCredentialAccess_All
- If this value is set to 1, the Execute Script monitor or action can request any configured credentials for arbitrary devices via the $mon.GetCredentials or $act.GetCredentials function. The functions will fail if this value is set to 0.
This can be disabled by setting this value to 0, or enabled by setting to 1. Defaults to 0.
Because of the concern of scripts exfiltrating credentials, we recommend locking monitors or actions that use the GetCredentials function.
- SNAP_AllowTunnel2
- SNAP Tunnels allow tunneling a connection to a remote device across the communication link between the
Central Monitoring Service and a Satellite Monitoring Service. This is useful for getting to an RDP session on a remote device. Tunnels can be disabled completely by setting this value to 0 on the
Central Monitoring Service, or set it to 0 on a Satellite to disable tunnels to that specific Satellite. Defaults to 1.
- SNAP_AccessUnmonDevices
- When a SNAP Tunnel is created, the creating user's access is checked to confirm they have access to the device. If connecting to an
unmonitored device (perhaps by creating a tunnel from the External API) set this value to 1 to disable access checks. Defaults to 0.
- SNAP_AllowTunnelFromAnonAPI
- The External API can create SNAP Tunnels and requires a username and password. To enable the legacy mode of not requiring credentials, set this value to 1. Defaults to 0.