Symantec Security Assessment: The Bomgar Box

PDF Version (61KB)   Email This Item

Bomgar Security Architecture

2. Server-side Authentication and Authorization

All Bomgar application servers use dedicated application accounts when accessing server functionality and data. During the assessment, Symantec conducted a variety of attack scenarios designed to circumvent the authentication mechanisms implemented in the Bomgar Box™. Symantec found that both the web-based and client-server interfaces to the Bomgar Box's backend components required the user to successfully authenticate with a valid username and password. All attempts to bypass the authentication components were rejected by the application, thereby preventing access to functionality and data on the server.

Symantec also found that the Bomgar Box™ supports per-user privileges that offer more granular control over access to application functionality and data. When accounts are created, the administrator is presented with a list of privileges that can be selectively granted to the user, including the ability to view and/or control a customer's machine remotely or the ability to act as an administrator for the application. During the assessment, Symantec also attempted to bypass access control functions and access functions and/or data that should have been restricted to more highly-privileged users. These attempts were rejected by the access control mechanisms built into the application. Finally, Symantec also notes that separate administration accounts and interfaces exist to govern administration of the Bomgar Box™ and the administration of the application itself. This provides additional segregation between user functions within the overall application environment.

The Adobe® logo is a registered trademark of Adobe Systems Incorporated in the United States and/or other countries.