Hello,
I have a quick question: why separate the admin workstation and the server workstation? Is it solely for security reasons?
Thank you.
[SOLVED] Separate server and administrator workstations
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
On a Windows server, the server often also acts as an "admin workstation," but this is indeed discouraged for security reasons.
The server has an open port (443), sometimes even for RDP or other services, which exposes it to an attacker. (A security vulnerability can occur at any time, as we recently saw with SSH and RDP.) Therefore,
it's not recommended for the Windows WAPT server to store the key (c:\private). In case of an attack, the hacker won't be able to deploy ransomware with WAPT (since WAPT verifies packet signatures and actions, this limits the risks).
Conversely, if your admin workstation has the key, it doesn't have any open ports, it's often in a dedicated IT VLAN, and it's often encrypted (BitLocker). When your workstation is turned off, the key is inaccessible.
A cleaner security solution!
Simon
The server has an open port (443), sometimes even for RDP or other services, which exposes it to an attacker. (A security vulnerability can occur at any time, as we recently saw with SSH and RDP.) Therefore,
it's not recommended for the Windows WAPT server to store the key (c:\private). In case of an attack, the hacker won't be able to deploy ransomware with WAPT (since WAPT verifies packet signatures and actions, this limits the risks).
Conversely, if your admin workstation has the key, it doesn't have any open ports, it's often in a dedicated IT VLAN, and it's often encrypted (BitLocker). When your workstation is turned off, the key is inaccessible.
A cleaner security solution!
Simon
