What We're Working On for SAM (Updated: February 8, 2021)

Following the Sunburst security incident, SolarWinds remains committed to the safety and security of our products and technology. Throughout 2021, we will prioritize security enhancements ahead of feature development to maximize customer safety and ensure confidence in SolarWinds and our products.  

Items currently being considered include, but are not limited to:

  • Vulnerability fixes identified by third-party scanning tools or recent product penetration tests (pentesting)
  • Documentation of least privileges for Orion Platform operation and monitoring including Orion agents
  • Validation of CIS IIS and SQL Server best practices
  • Secure settings by default with user control
  • Removal of any code unsupported by Microsoft
Anonymous
  • I hope modern authentication would be supported in Exchange

  • Can anyone expound on the "Validation of CIS IIS and SQL Server best practices" item? Does this mean that the configuration wizard now follows best practices, or that AppInsight templates for IIS and SQL Server can monitor for compliance?

  • A reverse proxy can sometimes include web application firewall functionality (such as Citrix Netscaler / ADC). They can also add MFA at the point of reverse proxy, which puts the security closer to the edge, and can potentially stop malicious traffic before it even gets to your Orion login page.

  • Can you elaborate on this recommendation a bit more? I'm not terribly familiar with reverse proxies, but I know our infrastructure team is implementing MFA in front of things like our Office 365 and our VPN. I'd love to increase the security of our Orion instance to allow it to be internet facing.

  • While a tiny part of me is disappointed to know that we shouldn't expect new features in SAM this year, I am still very excited to see this work being done. These are very important steps that in the end, will help make sure that both your company and my company stay out of the [breach] news! Will there be a clear publication and announcement of the new LUP documentation that comes out?