Third-Party System Credentials Security
A common question raised by various AggreGate partners is "why are the passwords stored in plain text and can be viewed/exported by AggreGate operators?"
Being a monitoring and control system, AggreGate connects to and authenticates on various external devices, systems, and databases. To be able to do this, AggreGate Server must store authentication credentials for third-party systems.
This simple fact effectively means that any intruder that has administrator-level access to the operating system of the machine AggreGate Server is installed on will be able to get access to all passwords AggreGate Server uses to connect to third-party devices and systems.
There is no way to avoid that: even if all passwords were encrypted with some cipher, AggreGate Server source code will always contain sufficient information to decrypt them.
The same applies to AggreGate Server users: any AggreGate Server user that has non-restricted access to all system objects (such as the default administrator) will be able to get access to passwords used by AggreGate Server to access external devices/systems.
Password Protection Policies
According to the below, a number of rules should be followed by AggreGate Server administrators to avoid password compromise.
The below rules assume that a trusted user is a person that is legally allowed to access any device/system AggreGate Server connects to.
Password protection rules:
OS-level access to the machine AggreGate Server is installed on should be limited to trusted users only.
If any non-trusted person must for some reason have access to the AggreGate Server machine, this person must not have read-level access to the AggreGate Server installation folder and any data folders (e.g. database folder). Such a person must be also blocked from accessing AggreGate Server process memory.
Any non-trusted AggreGate Server user must not have read-level permissions for variables and execution permissions for functions whose values contain passwords.
Was this page helpful?