1 of 1 people found this helpful
It's a valid point but there are some other situations to consider:
1 - John doesn't log off the bladelogic console and walks away
2 - what else does john's network login have access to other than bladelogic?
3 - what other applications are left running when he walks away?
I would enforce a gpo that would lock the screen after x-min of inactivity. Of course someone could be lurking around the corner, hoping that john walks away and forgets to lock his workstation, so there's not much you can do about that on the technical level unless John has something embeded in or attached to his person that will lock the workstation.
You can configure the session credential lifetime but I don't know if there's something that will kill the creds on logoff of the gui. You could wrap the launcher.exe in a bat that runs a blcred -destroy after the launcher runs (I think it would keep the bat file open until you close the launcher.exe process, then kill the creds).
Thanks for your advice Bill.
The .bat file idea should work, I might try it.
I like the idea of the cached credential being destroyed as soon a user logs off the console.
The company I'm working at are a little nervous about BL security already without the possibilty of being able to log into a console using someone else's cached credentials.
In your experience do most BL implementations use NSH proxy ?
Does anyone know how to automatically set the "Save credential for this session" box in the console logon screen ?
We encourage customers to setup the NSH Proxy. It makes things a lot easier to manage.
Like I mentioned - you'd have to break into their workstation login account to get to the Bladelogic credentials or have physical access to the workstation so I don't think Bladelogic poses any other special risk than any other app that you might leave running or uses a SSO w/ your domain login credentials.
I think there is a registry key for this under HKCU now. this used to stay checked across console sessions. In 8.0 it doesn't seem to stay checked, not sure if it's my workstation or what.
It doesn't stay checked for me. Users forget to check it and then get errors when running NSH commnads.