What We're Working on for NPM (Updated: February 8, 2021)

Following the Sunburst security incident, SolarWinds remains committed to the safety and security of our products and technology. Throughout 2021, we will prioritize security enhancements ahead of feature development to maximize customer safety and ensure confidence in SolarWinds and our products.  

Items currently being considered include, but are not limited to:

  • Vulnerability fixes identified by third-party scanning tools or recent product penetration tests (pentesting)
  • Documentation of least privileges for Orion Platform operation and monitoring including Orion agents
  • Validation of CIS IIS and SQL Server best practices
  • Secure settings by default with user control
  • Removal of any code unsupported by Microsoft
Anonymous
  • i need to start NPM from basics

  • While this is great to add a security focus going forward, where are the feature enhancements and stability improvements for the 6 months of dev time between 2020.2 released and the hack release? At this point, it sounds like we're going to go a complete year without a new feature enhancements. A great example is that is has been 9 years since reoccurring maintenance windows within the platform has been requested...

  • I recently had my manager request for password-less access for certain monitoring personnel and I'm using the built in Guest account for the first time.  After examining how it's set up, it appears that you can limit most listed pages in the account profile (granted you have to remove each one individually) but with the Guest account I can still put in a non-listed Solarwinds URL directly and it will load (though I can't change anything, I can view the page.)   So I'd like to see a security revamp on user accounts and the Guest account as well.

  • Heartily agree - the user permissions appear to be an all or nothing in some circumstances and desperately need to be improved as part of the security re-think/approach.

  • With all these security stuff planned, are there also any RBAC improvement for the platform ?
    For the time being an admin role is still needed for some basic/day-to-day operation.