Kaseya Community

Patch file source and credentials

This question is answered

I have defined UNC folder to get patches from server and set access for "everyone" for this folder. When I run test patch status from workstation I get error "Missing credential. Add a valid network credential." Added regular domain user to credentials, next getting error "Credential might not have admin rights. Patch file failed to install."

Do I have to define credentials to access that UNC path? And does that credential need to have admin rights on all workstations to get updates installed? How do you usually do this, just use administrator account or create another account with administrator priviledges?

 

 

Verified Answer
  • We create a local administrator account on all machines.  We use this for credentials.

    We use this for patching, for logging on locally, etc...

    The idea is we can use a script to reset passwords across our fleet whenever circumstances change.

  • Rather than set access for "everyone".....use "Domain Users"

    As for accounts...I use random alpha-numeric passwords and store them in the Manage Variables section of Agent Procedures. I create a different one for each customer.

    Then I can use a script that creates the XYZ account, puts it into local admin and uses <variable> for the password. This way I have a single script that can run against all customers yet supply a unique and complex password for each of them.

All Replies
  • We create a local administrator account on all machines.  We use this for credentials.

    We use this for patching, for logging on locally, etc...

    The idea is we can use a script to reset passwords across our fleet whenever circumstances change.

  • Surely setting the UNC share for Everyone is a large security risk, does the share need to be read only or does kaseya need to be able to write back to the folder too?

  • I have made my patch shares read only before worked okay as long as the other agent can get read access as the patches are downloaded by the machines agent that hosts the patch share.  



    [edited by: HardKnoX at 4:41 PM (GMT -7) on 7-10-2011] typo
  • One could probably set sharing permissions only for those local admin accounts which do the update...

    How do you guys manage passwords for these local kaseya admin accounts? Same pwd for everyone and frequently changing it or one pwd per customer? Can you make password script automatically set stored credentials for agent?

  • Rather than set access for "everyone".....use "Domain Users"

    As for accounts...I use random alpha-numeric passwords and store them in the Manage Variables section of Agent Procedures. I create a different one for each customer.

    Then I can use a script that creates the XYZ account, puts it into local admin and uses <variable> for the password. This way I have a single script that can run against all customers yet supply a unique and complex password for each of them.

  • Wow thats handy. Is this place considered to be secure to store passwords?

  • Is it secure?....Hmmmmm

    There are two possibilities here....secure from Staff ....and secure from public / unauthorised access.

    With regards to staff.....You can make the variables public or private. Public will be visible to all Kaseya user accounts (i.e staff) that have access to the Agent Procedure tab....private will be limited to the account that creates that variable. Personally I use public variables as my staff have access to create user accounts on remote systems anyway.

    As for public / unauthorised access.....I figure if someone manages to hack / compromise  our VSA server then all bets are off as they have complete access to all our customers machines anyway.

  • So do you use an account local to the workstation or a domain account?

    If its a local account how does it get access to the update share?

  • Some of our customers IT staff have access to Kaseya for their own machine scope, but I then I though that they can just see their own machine scope and password assigned to them, which is no problem (as long as we use different passwords for each customer).

    Other though was that would malicious end-user somehow see that password from his computer where Kaseya agent is but that doesn't seem to be possible either..

    Third though was that somebody could hack our Kaseya server (because https is open to world) but then we would have bigger problem since they can do anything they want.