3 Replies Latest reply on Nov 16, 2017 3:37 PM by Bill Robinson

    Bladelogicrscd local account purpose

    Daniel Bousquin

      My role is managing the security aspect of BladeLogic and I'm not familiar with agent installation. 

       

      Our installation is 8.6.

       

      A auditor is asking why the local Account BladelogicRSCD is not under our password management system.

      The Account does not have any privilege and the Agent Service is running as local system.

       

       

      The little knowledge I know about the BladelogicRSCD account is that it gets created by the agent software.

       

      My questions are:

       

      1.  Does the account need to exist?  if so why?

       

      2.  Should the password be managed under password management system?

       

      3.  Is there any security impact with this account.. even though it is not a member of any groups?

       

       

      Thank you

        • 1. Re: Bladelogicrscd local account purpose
          Bill Robinson

          1.  Does the account need to exist?  if so why?

          If you only use automation principals to communicate w/ the server you can use 'chapw -d' to remove the account, otherwise it must exist for the User Principal Mapping: Impersonation and privilege mapping - BMC Server Automation 8.9 due to how the windows user impersonation works.

           

          2.  Should the password be managed under password management system?

          Generally we don't recommend this because if the password gets changed incorrectly you will lock yourself out of your servers and need to either write some powershell or manually go fix them.  'chapw' has a '-r' (random) option to reset the password, or you can actually supply a password.  chapw (and agentctl passwd if the rscd is down) is the only way to change the password.  if you just change the password on the os, the agent won't work.  some customers resolve the auditing issue by running chapw -r on a time interval and then run a compliance (or other) job that shows when the last time the password was changed.   depending on the password management system - maybe you can have that fire off a job in bsa that changes the password based on its own rules.

           

           

          3.  Is there any security impact with this account.. even though it is not a member of any groups?

          afaik, no.  it's only used for the user impersonation through the rscd.

          • 2. Re: Bladelogicrscd local account purpose
            Daniel Bousquin

            Thanks again Bill,

             

            Just one last question:

             

            Obviously the BladelogicRSCD account should exist but we have a few cases where it is in the Administrator group and on others it isn't.

            Does it have to be in the Administrator group?

            • 3. Re: Bladelogicrscd local account purpose
              Bill Robinson

              It should never be in the Administrators group.

               

              If you have the rscd installed on a domain controller, i believe it will show up in domain users because a domain user has to be in a group.  the local account on the server (member or standalone) should not be in any groups.