Security Concern?

Our institution recently had a “pentest” and they flagged our main BigFix server as having a potential issue. In particular, they said the masthead file was available from the Internet, meaning someone could see our license number, company, etc. Now I have our Information Security group asking about this.

https://<target_IP>:52311/masthead/masthead.axfm

https://<target_IP>:52311/cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands https://<target_IP>:52311/cgi-bin/bfenterprise/BESMirrorRequest.exe

We need to have our BigFix server facing the Internet if we want to patch systems on the road (laptops, computers at home, etc.) so I don’t think there’s anyway to block this?

We’re running the latest release 10.0.7.

The recommended configuration for this would be to implement a “DMZ Relay” configuration, and configure that relay for Relay Authentication.

The root server itself should never be exposed to Internet traffic.

https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Installation/c_relays.html#c_relays is a good starting point, but I’d strongly advise you consult with your HCL Tech Advisor to understand best-practices for your configuration.

If you don’t have a TA or don’t know who it is, let us know and we can help you find out.

OK thanks!

Yes, we’ll need a TA. Our install is from the Version 8 days (but has since been upgraded software and hardware-wise).

Crowsj,

Where are you located so that we can assign the right TA based on Country/Province/State?

I’ll also send you and Jason a PM so you can respond there. Thank you

Dan - Global TA Lead

We’re in California, USA (Bay Area if that matters).

Can you send me your full name, email address and best number to reach you?

You can also send it to my email… Even though I’m out of office I can forward it on appropriately. daniel.paquette@hcl.com

@crowsj I’ve sent you some links directly. Please let me know if we need to jump on the phone.