Assign as few rights as possible and as many rights as necessary.
Using passwords in Empirum
Matrix42 offers customers the possibility to use their own variables with the type password in software packages to be able to use them during execution. Although these are stored in unreadable form, they can be output in plain text again to be used in installation scripts. This cannot be prevented by the system. In principle, normal users do not have access to the control files containing the encrypted data, but local administrators can gain access to them. Therefore, it is recommended to use these script passwords only where no alternatives (Single Sign on, Matrix42 MyWorkspace) are available.
In addition to the passwords that can be used in scripts, Empirum uses an AES256-based encryption variant for the internal components (depot server synchronization with EmpSync, agents). No component is provided for this encryption variant that can convert them back to plain text. Since this variant is based on a shared secret procedure, it cannot be excluded that decryption may also be possible with local access.
Matrix42 recommends using this for all Empirum Agent configurations and depot synchronization where the use of certificates or computer accounts is not possible.
When configuring the "Subdepot" and "Subdepot Webservices Configuration" packages, the use of variables is necessary because various PowerShell scripts are used during installation. The relevant INI files in which this information is stored are not copied or kept on managed computers but are only available to these servers.
Storage of the configuration files
The configuration files where passwords are stored are protected by NTFS permissions against unprivileged access to the managed computers.
Computer and user-specific file containing configuration information for installation packages Only the custom file is saved locally.
General configuration files of the Empirum Software Management Agent and the OS installation All configuration files are stored locally. This file contains no passwords when using certificate-based or computer account authentication.
The Interpreter Setup.exe
The interpreter "Setup.exe" is used for the processing of Empirum scripts by the Empirum Agent. In the [Encryption] section of the standard Setup.inf, there is the possibility to decrypt Empirum's own encryptions (Setup, Sync) in order to be able to pass them to commands during script processing.
This means that such a password (Setup, Sync) can be issued in plain text by a simple ECHO command.
Encryption methods affected: Setup, Sync