Derdack

Targeted Alert Notifications – Anywhere Actions

Derdack
  • Use Cases
    • Overview
    • Enterprise IT Alerting
    • IT Managed Services
    • Mobile Alerting in Manufacuring
    • Critical Operations Alerting in Banking & Financial
    • Field Service Dispatching in Energy & Utilities
    • Use Cases in other Industries
  • Products
    • Overview
    • Enterprise Alert®
      • Overview
      • Alert Notifications
      • On-call Duty Scheduling
      • Collaboration
      • Anywhere Remediation
      • Incident Mgmt. App
      • Integrations
      • Technical Support
      • Online Knowledge Base
      • Derdack FAQ
    • SIGNL4® Cloud
    • References & More
  • How to Buy
    • Overview
    • Pricing and Quotes
    • Azure Marketplace
  • About Derdack
    • About
    • Careers
    • Strategic Partners
    • Derdack Podcast
    • Contact Derdack
  • News & Blog
  • Request Demo
    • de de
  • News & Blog

    • Home
    • News & Blog
    • Technical
    • Common Security related Questions and Answers

    Common Security related Questions and Answers

    • December 23, 2021
    • Technical
    Common Security related Questions and Answers

    In light of the recent news about yet another reported Zero-Day Exploit and the accompanying discussions about security, let’s touch on the topic of security audits and how Enterprise Alert can be configured to avoid or at least minimize potential security impact.

    First, let’s establish what we mean by security audit. A security audit is a systematic evaluation of the entire Enterprise Alert environment including the hosting Server OS, the application, and the peripheral components it connects to. The goal of such an audit can never be to make a server invulnerable to any and all attacks, the only realistic goal can be to make attacks as hard as possible and reduce the impact as much as possible.

    We here at Derdack, as the application provider, can only really deliver details on the application. The server OS and the network part are always better to be handled by the dedicated engineers of our customers, only they know the specifics of their companies’ requirements and concerns. We may touch shortly on those 2 sections where it concerns Enterprise Alert directly.

     

    Server OS

    In this section, I would like to quickly address a few touching points for Enterprise Alert as they are essential for a smooth operation of Enterprise Alert. The usual issues we get reported are small problems, technically within the system owner’s responsibility, but I’d like to address them here quickly. I will not touch on system variables for the above-stated reasons.

    Can the IIS splash screen be disabled?
    By default, the IIS is configured to display the IIS splash screen which often gets raised as an issue since it allows attackers to conclude what kind of operating system he is dealing with. This can be easily disabled in the IIS settings for the default website.

    Can Enterprise Alert be configured to not use a local system account?
    By default, the set run as accounts are NT AUTHORITY\SYSTEM (for all services) and NT AUTHORITY\NETWORK SERVICE (for the IIS ApplicationPool). We recommend using an AD Account instead of the default accounts directly as part of the advanced setup. If the application is already up and running you can still change the accounts without much of an impact on the system uptime.

    Must the RunAsAccount be a local administrator with LogOn permissions?
    Enterprise Alert requires the local administrator User role or equivalent permissions to provide all functionalities without issues. This might be an issue that is raised in a security audit as a concern since it allows additional users to log onto this server. Usually, this issue can be mitigated by denying the user logon permissions.

     

    Network

    In this section, I would like to cover items that might be raised by the security audit for network-related issues. Basically, this includes everything related to how Enterprise Alert is communicating with external systems. Technically this would include our Database connections as well, but I thought it more appropriate under the Application section.

    Which TLS versions does Enterprise Alert support?
    Enterprise Alerts fully supports TLS versions 1.0 to 1.2. the actual versions allowed can be controlled and restricted via the Operating system settings. The application is also prepared to utilize and support TLS1.3 depending on the availability within the operating system

    Can Mail communication be encrypted?
    With the Mail channel having multiple setup modes you will always be able to either enable SSL for receiving protocols (POP2, IMAP) and sending protocols (SMTP Server relay) or have it set as a default (o365, Exchange). Only SMTP Direct Delivery does not support a secure mode of communication and therefore should be avoided.

    Can VoIP communication be encrypted?
    VoIP-based communication with Enterprise Alert is in many cases still handled via insecure UDP packages but can be easily reconfigured to use TLS. This also provides for secure communication with an external VoIP provider unless communication to an external network is considered a security risk.

    Is Teams IM communication encrypted?
    The Microsoft Teams integration is SSL secured by default and shouldn’t come up during an audit unless communication to a system in a public network is considered a threat. If that is the case Microsoft Teams will not be an option since no on-premises alternative is available.

    Can SMS/text-based communication be encrypted?
    GSM Modems can be connected to Enterprise Alert either via a COM port, which can be considered a secure connection since no external access is possible or via a Telnet-based connection. As of this date, the Telnet connecting cannot be secured on the application level and will therefore appear in a security audit.
    Communication with an SMSC Provider via SMPP or UCP Protocol cannot be secured on an Application Level. But it is possible to do this on a network level and is often offered by SMSC providers.

    Is the communication between the mobile App and Enterprise Alert backend secure?
    The Mobile App requires access to the Enterprise Alert backend either via a public access point or via a VPN tunnel (provided via an MDM solution like BES or Intune) into your network. If you utilize ADFS or Azure AD as the Identyprovider make sure the Enterprise Alert App, as well as the enterprise Alert server, have access.  By default, all communication is SSL encrypted and access to the API is only granted when User credentials and a second factor is provided correctly to the API. For sending Push notifications all communication is, by design, secured via SSL.

    Is the communication for 2-way connectors encrypted?
    All smart connectors support secure communication via SSL encryption so any findings in that direction can easily be rectified by reconfiguring the URLs to utilize SSL encryption for access to the remote systems.

    Which standard APIs can be encrypted?
    The standard APIs Like REST, SOAP, HTTP POST/GET can all be secured via simple SSL encryption, the same goes for OPC U/A when a server certificate is provided.

    Which standard APIs cannot be encrypted?
    Unfortunately, you will also come across a couple of APIs that cannot be secured in Enterprise Alert like the SMTP server as well the SNMP trap receiver. If this poses too much of a security threat as per your security guidelines you can always disable able those interfaces.

    Application

    In this section, I want to touch on anything that is related to the Enterprise Alert application itself, including application-owned security items and concerns. Like application authentication and password encryption for users and configurations.

    How are database connection strings stored in Enterprise Alert?
    The database connection strings are stored in cleartext within the Logman.xml as well in the web.config file for the EAPortal. To avoid SQL credentials being accessed by unauthorized users we recommend using a trusted connection instead of a SQL authentication as the connection mode.

    How are passwords for access to 3rd party systems stored?
    All 3rd party connectors store Passwords as encrypted values. No cleartext passwords will be stored and shared outside the application.

    How are User passwords secured in Enterprise Alert?
    User credentials are stored in the Enterprise Alert DB only and are encrypted similar to other credentials within Enterprise Alert. Overwriting or altering the DB stored key will render the User unable to log in. Enterprise Alert does not store any user passwords if Active Directory (AD) integration is enabled – see below.

    Does Enterprise Alert offer automated User management?
    Yes. Enterprise Alert provides automated User management through AD synchronization. It offers manual sync or fully automated user data updates in freely configurable intervals. Enterprise Alert however will not synchronize Passwords from Active Directory.

    How are users authorized in Enterprise Alert?
    Enterprise Alerts offers authorization via the build-in identity server, SSO, ADFS and Azure AD. All authentication methods can be combined with Active Directory synced users. Only for authorization through the build-in identity server locally (Enterprise Alert DB) stored passwords are required. Details for the different authentication methods can be requested via the Derdack Support team.

    Does Enterprise Alert support the principle of minimum privilege?
    Yes. Enterprise Alert provides 7 different user roles covering the most common use cases by default. Should the standard roles not be sufficient Enterprise Alert offers the option to alter or create new user roles enabling you to precisely control and restrict access to the application and its features.  Custom user roles are an add-on feature and not available in any plan or edition.

    What permissions does the application need on the database?
    For the setup, therefore the creation of the main database, of Enterprise Alert, system admin privileges are required on the SQL server. If that is not possible the Enterprise Alert database can be created manually by a DBA. For the smooth operation of Enterprise Alert the account, either SQL Account (not recommended) or AD Account used by Enterprise Alert Services and ApplicationPools, needs DBowner or equal permissions.

    Is there a complete list of all ports used by Enterprise Alert available?
    The Derdack support team can provide documents addressing the most commonly used ports and standard ports. Please note that used ports may vary based on 3rd party application settings e.g. SQL DB ports or application web services.

     

    Summary

    Your security audit will most likely contain a lot more open items and it will go into much more detail than the questions and answers here. We gladly will sit down with you and go over the different Items and provide guidance. Enterprise Alert is designed with security and reliability in mind therefore all findings will be addressable with reasonable effort.

     

     

    Tagged

    derdackEnterprise Alertsecurity

    Share

    Related Posts

    Enterprise Alert 9.4.1 comes with fixes and the revised version of the sentinel connector app

    February 1, 2023

    Critical System Alerts via SIGNL4

    December 29, 2022

    Enterprise Alert 9.4 Update introduces Remote Actions for hybrid scenarios and proxy support for MS Teams

    October 25, 2022

    Upgrade your shopfloor alerting with Derdack

    September 8, 2022

    About

    DERDACK products combine automated alert notification workflows, 24/7 duty scheduling, ad-hoc collaboration and anywhere IT troubleshooting – reducing unexpected IT downtimes at large enterprises and organizations by 60%.

    Most popular

    • Derdack Company Take your ITIL incident management to the next level with Enterprise Alert
    • Mobile alert notifications for HP Service Manager (HPSM)
    • How to forward alerts to Microsoft Teams
    • Oncall Scheduling On-Call Schedule Management with Auto-Rotation
    • Even, Alert, Incident, Notification Definition of Event, Alert, Incident and Notification
    • checking-mobile Enhancing SCOM alert notifications
    • Announcing Enterprise Alert 2019
    • who-is-on-call-sharepoint Add a live “Who is On-Call” Dashboard into Sharepoint and other Tools

    Categories

    • Business (37)
    • Cloud Services (5)
    • Consultancy (1)
    • Customers (18)
    • Energy & Utilities (7)
    • Events (23)
    • Financial & Banking (4)
    • IT Ops (19)
    • Manufacturing (8)
    • News (48)
    • Schools (1)
    • Software (9)
    • Staffing (1)
    • Support (4)
    • Technical (141)
    • Transport & Logistics (5)

    Tags

    alert alert notifications Anywhere Resolution Anywhere Response Azure azure BMC customer reference Database derdack enterprise alert Enterprise Alert Enterprise Alert 2016 Enterprise Alert 2019 Gartner HPE HPE ITSM incident Incident Management Incident resolution incident response Industrie 4.0 Integration IT Alerting IT Operations Maintenance microsoft mobile Mobile App monitoring OMS on-call on-call schedule Operational Alerting rapid response release Remote Action REST API SCOM security SolarWinds NPM System Center update User Group voice

    Follow us

    • Twitter
    • Facebook
    • LinkedIn
    • XING
    • YouTube
    • Vimeo
    • Home
    • News & Blog
    • Technical
    • Common Security related Questions and Answers

    CONTACT US:
    Intl: +49 331 29878-0

    US: +1 (804) 570-2005
    CH: +41 (31) 5391990

    CONTACT VIA EMAIL:
    info@derdack.com

    OFFICES:
    US & Europe

    NEWSLETTER:
    Sign up here

    CAREER:
    Latest job offers

    EVENTS

    • No Upcoming Events
    • Who we help
    • Products
    • How to Buy
    • About Derdack
    • News & Blog
    • Free Trial
    • Twitter
    • LinkedIn
    • YouTube
    • Vimeo

     © 2025 Derdack – Imprint, Privacy policy

    • Use Cases
      • Overview
      • Enterprise IT Alerting
      • IT Managed Services
      • Mobile Alerting in Manufacuring
      • Critical Operations Alerting in Banking & Financial
      • Field Service Dispatching in Energy & Utilities
      • Use Cases in other Industries
    • Products
      • Overview
      • Enterprise Alert®
        • Overview
        • Alert Notifications
        • On-call Duty Scheduling
        • Collaboration
        • Anywhere Remediation
        • Incident Mgmt. App
        • Integrations
        • Technical Support
        • Online Knowledge Base
        • Derdack FAQ
      • SIGNL4® Cloud
      • References & More
    • How to Buy
      • Overview
      • Pricing and Quotes
      • Azure Marketplace
    • About Derdack
      • About
      • Careers
      • Strategic Partners
      • Derdack Podcast
      • Contact Derdack
    • News & Blog
    • Request Demo
    Manage Cookie Consent
    We use cookies to optimize our website and our service.
    Functional Always active
    The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
    Preferences
    The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
    Statistics
    The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
    Marketing
    The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
    Manage options Manage services Manage vendors Read more about these purposes
    View preferences
    {title} {title} {title}