How to Configure the Canary Admin to Require Authentication for Local Admins (version 22)
By default, the Canary Admin allows anonymous access for local users via the 'Net.Pipe' endpoint.
If wishing to restrict local admin access, simply uncheck this box. Before doing so, ensure the desired users/groups are on the 'ALLOW' list on the 'Access' screen as once the change is applied, the user will be prompted to authenticate if they are not on the list.
When a local user opens the admin client it will first attempt to authenticate the logged on user using their Windows credentials. If the local user is on the Access list, they will be granted access and not be prompted for a username/password. If the user is not on the list, a screen will appear prompting them for a username/password. Either one of these endpoints can be disabled from the 'Endpoints' tab shown in the first screen shot.
2 replies
-
Can this pair up with SSO (Azure AD) credentials to ensure identification of which users are performing specific actions in the Admin console? Does it also work for "remote administration" through the Canary Admin "thick client" when connecting to a Canary-hosted cloud setup?