You'll probably need to configure it all up to join the domain. Good luck with that. To be honest it sounds like crying about nothing. If the AD user you are using is setup properly its a non-issue. And really its no less secure than using SNMP. Also keep in mind that cacti itself doesn't just automatically join the domain either, you'd need to set that up to use LDAP and then SSL LDAP which is possibly another headache.argon0 wrote:Ok, my security guy said he would prefer it if it used Kerberos, can you run through how I set it up for this? Or is this the default? If it is how does it work?
I.e. how is the client authenticating using kerberos without joining the domain (which, as I understand it, is a requirement of kerberos...)
Argon0
To save yourself a heap of headache this is what you want
* Create your AD user
* Deny it pretty much everything via group policy so that it can only be used to remote WMI (e.g. disabling interactive logon etc, and one would hope you already have something in place for service accounts...)
* Allow it read only access to the WMI root
* Allow it remote execute access to DCOM
* Use group policy to add the user or a group the user is in to the local machines performance monitors group so it can read counters
And that's really it. It will use NTLM by default which is fine for this (and NTLMv2 isn't exactly that bad). If the user is compromised it can't access anything or logon interactively to machines and assuming you haven't used "Domain Users" everywhere to define access you shouldn't have any problems with it accessing file shares it shouldn't.
In all cases your wmi-logins.php will have the credential in plain text. Your more likely going to get someone reading that than someone sniffing it over the wire. And to be honest Cacti doesn't do stuff all input parsing and thus you can easily do all sorts of fun stuff so if security is such an issue you shouldn't be using Cacti at all.
