Concerns about local execution mode for PowerShell script components

admin_nsn

Hi Thwack

What are your thoughts about the setting "Local execution" mode on the PowerShell script components? Effectively allowing a user to execute any PowerShell code they wish directly on the polling engine. Of course, you require the SAM admin role to be able to do this in the first place, but even then I think it is a huge security problem. 

We have several admins that configure SAM monitoring every day and thus require the SAM admin role. But they do not and should not have access to the infrastructure behind (polling engines etc.). But, any nefarious admin could just create a new local admin user by using the local execution mode and jump right into the server with this newly created user. This is just one example and of course, you could have implemented other security measures disallowing this. 

But I still think not being able to disable this function or at least have a couple more permission levels for admins/users, is a bit silly.

What are your thoughts on this? And have you done anything to combat this potential vulnerability?

mesverrum

As you said, if someone is a SAM admin I assume they have admin access to the SW server.  If they are not a person I could trust with the responsibility then they are not someone I can make a SAM admin. Over the years at big enterprises I have had to build many abstraction layers to isolate users from the loose RBAC built into the platform.  Would have saved me a ton of work if I just had granular RBAC natively, but i can think of a dozen places where SW doesn't give me that so  I just work around it when I need to.