Hi there,
Our operator of the BigFix tool sent a policy for hardening error and blocked and hardened the client’s servers, blocking their access and we cannot go down this policy on the server (we have several servers in this condition). For this reason, we need to know if there is any way or protocol that allows us to bypass to the formal access of the server in order to disable bigfix and recover control of the server.
We’d need a lot more details on what you’re talking about.
Can you still access the BigFix Console or WebUI, and are the target computers still checking in?
By “blocked access”, do you mean the hardening policy has broken your Remote Desktop and/or SSH, or access to BigFix itself?
There are no “back doors” in BigFix itself, but if you’re talking about blocked RDP or SSH and you can still use BigFix, there should be ways to restore your other accesses. If you’ve broken BigFix communication but can still access RDP or SSH or some other protocol, you can fix the BigFix communication. If you’ve lost both types of access, you’ll either need physical access to the machines or another out-of-band management tool.
I can give tips and pointers on these, but will need a lot more detail about what’s working and what isn’t.
If you’ve lost all your “normal” accesses to the machines, some other methods to consider
Hi Jason,
I am grateful for your swift response.
Yes we can login only RDP to console and Bigfix root server. None of the target computers are kicking in because we have blocked the port 52311 on GCP for now.
By “blocked access”, do you mean the hardening policy has broken your Remote Desktop and/or SSH, or access to BigFix itself?
hardening policy has broken SSH. Only RDP is working for now.
MDM not deployed. We have GCP command line which can send commands
Regards,
Anusha
We also have Crowd Strike
So you blocked the 52311 through GCP? Why not just unblock it?
Unblocking it would stop our ssh again.
We had raised bigfix l2 support case CS0382169 for which it was told that the policy of server hardening cannot be removed now !
That’s correct. You can apply a new policy, but there’s no “undo” button.
Policy that was applied, can not un-applied is correct via the same policy, however if it continues to be re-applied then you likely have an Active Action which is doing it - just stop the action, re-enable the Bigfix client ports and pick up the pieces.
If you know how to re-enable via cli or other, you can simply make a new fixltet, task and re-enable the disable services
As you have seen hardening policies are best tested on a small set of systems first before promoting to the entire environment. Please consider using groups to target new policies before targeting an entire os platform, etc.