Bigfix Server hardening has stopped access on to the servers

AnushaHN 2023-03-18 16:07:27 UTC #1

Hi there,

Our operator of the BigFix tool sent a policy for hardening error and blocked and hardened the client’s servers, blocking their access and we cannot go down this policy on the server (we have several servers in this condition). For this reason, we need to know if there is any way or protocol that allows us to bypass to the formal access of the server in order to disable bigfix and recover control of the server.

JasonWalker 2023-03-18 17:38:25 UTC #2

We’d need a lot more details on what you’re talking about.

Can you still access the BigFix Console or WebUI, and are the target computers still checking in?

By “blocked access”, do you mean the hardening policy has broken your Remote Desktop and/or SSH, or access to BigFix itself?

There are no “back doors” in BigFix itself, but if you’re talking about blocked RDP or SSH and you can still use BigFix, there should be ways to restore your other accesses. If you’ve broken BigFix communication but can still access RDP or SSH or some other protocol, you can fix the BigFix communication. If you’ve lost both types of access, you’ll either need physical access to the machines or another out-of-band management tool.

I can give tips and pointers on these, but will need a lot more detail about what’s working and what isn’t.

If you’ve lost all your “normal” accesses to the machines, some other methods to consider

Do you have BigFix MDM deployed? Perhaps you can use MDM to reconfigure endpoints and restore access.
Do you have any other MDM deployed?
Do you have out-of-band management access like iLO, iDRAC, IPMI, AMT?
Do you have an EDR (CrowdStrike, Carbon Black, etc.)? Maybe those can send commands?
Do you have a centralized Antivirus (Symantec, McAfee, etc.)? Those can send commands
Do you have VPN or NAC clients that allow sending actions from the server?
Can you remotely access the machines with PSExec, Task Scheduler, PowerShell Remoting?

AnushaHN 2023-03-18 17:55:37 UTC #3

JasonWalker:

We’d need a lot more details on what you’re talking about.

Can you still access the BigFix Console or WebUI, and are the target computers still checking in?

By “blocked access”, do you mean the hardening policy has broken your Remote Desktop and/or SSH, or access to BigFix itself?

There are no “back doors” in BigFix itself, but if you’re talking about blocked RDP or SSH and you can still use BigFix, there should be ways to restore your other accesses. If you’ve broken BigFix communication but can still access RDP or SSH or some other protocol, you can fix the BigFix communication. If you’ve lost both types of access, you’ll either need physical access to the machines or another out-of-band management tool.

I can give tips and pointers on these, but will need a lot more detail about what’s working and what isn’t.

If you’ve lost all your “normal” accesses to the machines, some other methods to consider

Do you have BigFix MDM deployed? Perhaps you can use MDM to reconfigure endpoints and restore access.
Do you have any other MDM deployed?
Do you have out-of-band management access like iLO, iDRAC, IPMI, AMT?
Do you have an EDR (CrowdStrike, Carbon Black, etc.)? Maybe those can send commands?
Do you have a centralized Antivirus (Symantec, McAfee, etc.)? Those can send commands
Do you have VPN or NAC clients that allow sending actions from the server?
Can you remotely access the machines with PSExec, Task Scheduler, PowerShell Remoting?

Hi Jason,

I am grateful for your swift response.

Yes we can login only RDP to console and Bigfix root server. None of the target computers are kicking in because we have blocked the port 52311 on GCP for now.

By “blocked access”, do you mean the hardening policy has broken your Remote Desktop and/or SSH, or access to BigFix itself?
hardening policy has broken SSH. Only RDP is working for now.

MDM not deployed. We have GCP command line which can send commands

Regards,
Anusha

AnushaHN 2023-03-18 17:58:18 UTC #4

We also have Crowd Strike

JasonWalker 2023-03-18 18:39:07 UTC #5

So you blocked the 52311 through GCP? Why not just unblock it?

AnushaHN 2023-03-19 06:25:23 UTC #6

Unblocking it would stop our ssh again.

AnushaHN 2023-03-19 06:26:13 UTC #7

We had raised bigfix l2 support case CS0382169 for which it was told that the policy of server hardening cannot be removed now !

JasonWalker 2023-03-19 12:03:12 UTC #8

That’s correct. You can apply a new policy, but there’s no “undo” button.

mesee2 2023-03-19 18:23:23 UTC #9

Policy that was applied, can not un-applied is correct via the same policy, however if it continues to be re-applied then you likely have an Active Action which is doing it - just stop the action, re-enable the Bigfix client ports and pick up the pieces.

If you know how to re-enable via cli or other, you can simply make a new fixltet, task and re-enable the disable services

As you have seen hardening policies are best tested on a small set of systems first before promoting to the entire environment. Please consider using groups to target new policies before targeting an entire os platform, etc.