How to Configure the Canary Admin to Require Authentication for Local Admins (version 22)
By default, the Canary Admin allows anonymous access for local users via the 'Net.Pipe' endpoint.
Starting in v21.3, the following steps can be taken to restrict certain local users from opening the Canary Admin:
- Open the Canary Admin>Admin tile>Access tab and ensure the desired users and/or user groups are listed on the 'ALLOW' list as only these groups will be able to open the admin after the Net.Pipe endpoint is disabled.
- Open the C:\Program Files\Canary\Canary Admin\CanaryAdministrator.exe.config file.
- Remove the highlighted <endpoint> parameter from the file and Save.
- Close the Canary Admin and restart the Canary Administrator service.
- Open the Canary Admin. The admin service will first attempt to authenticate the logged on user using their Windows credentials. If the local user is on the Access list, they will be granted access and not be prompted for a username/password. If the user is not on the list, a screen will appear prompting them for a username/password. Either one of these endpoints can be disabled from the 'Endpoints' tab shown in the first screen shot.
***After a version upgrade, the modifications in the CanaryAdministrator.exe.config file DO NOT persist and the <endpoint> parameter must be removed again.***