MeshCentral2 - Security, DB Record Encryption, Vault support

Because MeshCentral is a web site that has control over a lot of devices, security is super important. MeshCentral already implements two-factor authentication, FIDO2 hardware keys support and much more. In the last few months, we added even more security features to insure that compute assets are as protected as possible. Here are some of the security features that were added recently:
  • Database Partial Record Encryption. When saving data in the database, some of the fields will need to be indexed for fast retrieval, but some of the data is sensitive such as account two-factor keys and Intel® AMT credentials. For these values, MeshCentral now offers an optional additional encryption layer using AES256-GCM. Fields that are marked as sensitive are encrypted and encoded in a special _CRYPT value in the database. When reading the record back, MeshCentral decodes and places the sensitive fields back transparently to the rest of the server code. This feature can be used on top of encryption features offered in the database itself.
  • HashiCorp Vault support. Vault is an open source secret management software that is used to store configuration settings, keys and certificates. You can get more information about this software at vaultproject.io. MeshCentral now supports storing and retrieving configuration and certificate information from Vault. This has many benefits: It allows the MeshCentral server to keep no secrets at rest, improving security. It allows MeshCentral to be completely stateless when running in a Docker container. It also allows for centralized management of secrets. All you need to specify is how to connect to Vault and all configuration is retrieved including MongoDB settings, etc. This is done before connecting to the database, so the database connection string and credentials can also be stored in Vault.
  • Cookie & Token IP address binding. MeshCentral session state that is sent to the browser is now bound to the external IP address of that browser. If malware obtains a user’s browser session data, it can’t use that data from a different IP address. The server will detect and reject use of session data from a different external IP address increasing the security of session information.
  • MeshCentral Security Features Guide. In order to better inform MeshCentral administrators of the default and optional security features of the server, we have a new one page PDF guide highlighting the top 12 security features of MeshCentral. This makes it easy to see what features are available. For more details on any given features, take a look at the MeshCentral User’s Guide.
Of course, no software is fully secure. In case of any concerns or security issues, one should contact the developers. A new PGP key is now available for anyone that wants to send confidential files or messages. Security is an ongoing process and so, we look forward to more feedback from the community on how to improve MeshCentral even further.

Enjoy,
Ylian
Twitter: https://twitter.com/meshcentral
Reddit: https://www.reddit.com/r/MeshCentral/
GitHub: https://github.com/Ylianst/MeshCentral/issues
MeshCentral2: http://www.meshcommander.com/meshcentral2






 
Check out the MeshCentral Security Features Guide (PDF)

http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2SecurityFeaturesGuide.pdf

Popular posts from this blog

Starting work at Microsoft

Image
Hi everyone. It’s been a while since the last blog post and I wanted up update everyone on what is going on. As many of you know already from a discussion on GitHub , Bryan and I have been laid-off from Intel in early November 2022. This was quite a surprise as MeshCentral, MeshCommander, MeshCMD and other tools where widely used. This said, Intel has been having poor financials and Bryan and I where part of a very large first wave of downsizing by the company that involved many people that I know and worked with for a long time. I had been working for Intel for over 25 years having started in September 1998. Over the years I worked on IPsec key negotiation, Universal Plug & Play, DLNA and Intel® AMT. I loved working on all these projects and especially loved working with the open-source community on Mesh projects. Obviously, this was not my decision and Bryan and I had look for what comes next. One option was to continue working on MeshCentral as part of another company or with
Read more

MeshCentral - Windows ARM64, NodeJS v11, NPM Packages

Image
Hi all. It's been a while since I last posted and now that I am settling a bit more in my work at Microsoft, I have a bit of time to occasionally look after MeshCentral again. It's about time, there where a bunch of things that needed to get fixed. Before that, I want to say that I am doing great. I am working on Microsoft Forms which is one of the offerings of Microsoft 365. For kicks, I started a YouTube channel on Microsoft Forms here during a Microsoft hacking week. I tried to up my game since the videos I last published for MeshCentral. Also, I wanted to share pictures below. I was at a Tesla Supercharger last weekend and, by luck, got to see a Tesla Cybertruck in person. It's very big. Obviously, this is a release candidate driven by a Tesla employee. I saw it after attempting to see the solar eclipse over Oregon, but sadly, too many clouds and saw nothing. In any case, back to MeshCentral. In the last few months a few things have happened with the new releases. Wind
Read more

MeshCentral - New Windows Agents - Installation Dialog, Customization and Server Lock

Image
Lots is going on with MeshCentral, just yesterday Bryan Roe released a new MeshAgent for Windows with many improvements. An improved installation dialog box, logo customization and, to continue MeshCentral’s leadership in security, a new agent code signing locking feature that will surely be used by many to improve trust and security of their MeshCentral installation. In addition to this, we have many more server improvements to cover. In detail: MeshAgent with improved installation dialog box . The new MeshAgent for Windows is much improved with months of changes and bug fixes. The most noticeable feature is by far the new installation dialog with the new logo and connection details button. The new installer is a lot friendlier and easier on end-users. MeshAgent with improved customizations . In addition to all the existing agent customizations available in prior versions, the MeshAgent has new server settings for the installation text and logo. You can now set your own 200x200 PNG c
Read more