CheckMK Domain Controllers


Regarding the implementation of Domains controllers, I have some security questions:

1.Can we create a separate group for this servers without any write/change permissions on the DCs.
For example using the agent with a read only user.
2. How is the monitored data retrieved is secured or encrypted?
3. Does any whitepaper or information for the installed checkMK agent exist regarding security/risks?

Thanks a lot.

Hi Pedro,

  1. the Agent is read-only by design, which means you cannot send any commands to it. So even if it is running as local-system, this is not a flaw, but by design. It needs that right, to read certain system information.
    Letting it run under a domain account is a bad idea, as you extend it’s right to the domain level. Local-system is local only, while a domain user is not.

  2. Search in setup for “encryption”. You will find the agent encryption ruleset. (With the upcoming 2.1 release there will be an even more sophisticated possibility to use TLS)
    Besides this, set an IP-access list. If you are using the enterprise edition and the agent bakery this can be deployed automatically if you use the Agent update feature.
    Besides this: Of course you should run your server with https.

  3. Security - Additional safeguarding for Checkmk



Thank you so much for the explanation.

This helps me a lot.