I would like to get your opinions on this. Is it a good or bad idea?
I only have PI System Explorer installed at present.
PI System Management Tools is in simple terms a client tool. You should not have any issues installing SMT on a PI AF or Coresight server machine. In fact, the PowerShell tools for the PI System are installed with PI SMT which you might find useful or beneficial to have access to on more machines.
Keep the software footprint on servers lean as you can. This concept applies to Windows roles as well as extra tools. Discourage interactive sessions on servers.
The pay off is in higher reliability and security with lower overall maintenance.
SMT runs just fine from a remote client.
The exception might be for very small scale systems, where the idea is to run as much as possible on one box. This approach was less reliable without the coordinated platform releases, its much easier now to have a server with versions all in sync.
Bryan Owen is spot on. The worst case I have seen is when someone was using SMT locally on a server and also working on a development system, which he decided to delete, well you can guess that the production system got deleted :¬( . I have seen servers also accidentally shutdown or restarted, so just keep away from then as much as you can. The other one that catches folk out is when they install a newer version of software and low and behold you get a message to restart the server.
I would say that you would want SMT installed on the server for an emergency, you just don't need to use it from day to day.
Principally i agree with the statement that one would not need admin tools on a server, need to say that first!
But I doubt if spinning up more servers to spread out all the services onto separate machines would make the software stack safer overall. Yes, in an ideal world you are right, but more servers mean more hassle to secure and thus in my experience you end up with more security holes to cover. So it really depends on the organisation in which the system operates what will lead to a more secure situation overall, and what 'secure enough' means. In this case, combining CoreSight and AF would be as much as a security issue as the installation of SMT on the server. Both place tools that users access on a backend server. If we could add one server, i would separate AF and CoreSight/SMT.
A minimal footprint that i recommend for a production environment is a 4-layer system, to place the 4 functions into separate security layers: 1 interfaces, 2 server(s), 3 visualisation (CoreSight), 4 maintenance (tools like SMT, PSE, etc). Where the interactions between the levels are controlled based on least priviliges.
Hi Roger... seems like we are mostly on the same page as 3 security layers is the industry minimum standard. In your server layer there are definately all-in-1 approaches mostly for smaller businesses (akin to Microsoft Small Business Server) but larger scale enterprises will distribute roles for many reasons for instance managing standard images like MS SQL.
For administration, the vast majority we survey today still rely on remote desktop. Manual approaches will fade away as the industry now expects automated methods to support Containers and DevOps initiatives.
In a way, better admin tools are practically a necessity if we are to continue managing more and more services. Not only is it more secure to avoid RDP it can be much safer and more reliable to use automation.
RDP is still valid, as long as you use different credentials to RDP to your maintenance layer from your desktop. And if the regular desktop is tightlu controlled you might not have the priviliges to install SMT. So you are forced to make the hop from your unsecure desktop to a more secure maitenance server, that is allowed to interact with your PI server. This setup still left me standing after the last security audit.
Even in the largest PI environments around, the scale of maintenance could not justify anything more advanced than this setup for maintenance.
References to current materials on this topic from a Microsoft infrastructure perspective include:
Privileged Access Workstations
Just Enough Administration: Windows PowerShell security controls help protect enterprise data
Both approaches are recommended. It's fair to assess JEA as too early to gauge success, thus Roger's assessment may prove accurate. On the other hand, bans on using RDP to manage SaaS may well spread to more traditional environments.
Retrieving data ...