Skip to main content
Skip table of contents

SAC General Configurations

As of version 10.3.0, Server Access Control (SAC) related settings have been relocated. Previously found under Administrator > General > Security, these settings are now available in the General > Configurations menu for each respective service.

Overview

The Configurations page is where you can manage server access and security policies in QueryPie. You can configure key elements of server connection security, such as login failure thresholds, session timeouts, and control over insecure protocols. This allows administrators to configure the server environment according to their organization's security requirements and protect the system from potential threats.

Server Connection Security Settings

Manage security settings applied to server access control.

General Settings

Manage basic security settings

image-20241217-070427.png

  • Maximum OS Account Login Failures before Lockout: Policy for locking accounts upon login failure.

    • Specify the maximum number of allowed server login failures.

    • If Enable is selected, you can specify the number of failures and the time frame (e.g., lock the account after 2 failures within 11 minutes).

  • Maximum Command Attempts before Session Termination: Maximum number of attempts to execute prohibited commands.

    • If Enable is selected, you can specify the number of attempts and the time frame (e.g., terminate the session after 10 attempts within 10 minutes).

  • Retain Session After Policy Change: Configure whether to maintain active sessions when server access policies are changed.

    • If Enable is selected:

      • Active sessions will be maintained even in the following cases:

        • Direct permission grants or revocations

        • Policy updates

        • User role changes

      • However, if a user's role or permissions are completely removed, sessions for related resources will be terminated.

      • To apply the changed policy, users must reconnect their sessions.

    • If Disable is selected:

      • All connected sessions will be automatically terminated when the policy changes.

      • The changed policy will apply to new sessions.

  • Server Session Timeout : Server session timeout period (in minutes)

    • Sessions will time out if no commands are executed after server connection for the specified duration.

    • This setting applies if no timeout is specified in an individual Policy.

    • If a timeout policy is specified in an individual Policy or Server Default Settings, the shorter duration will be applied.

  • Using insecure protocols : Configure the use of non-recommended server connection protocols.

    • Set whether to allow the use of TELNET or FTP.

  • Access Server with MFA : Configure whether MFA authentication is required for server access (Default: Disabled).

    • Currently, Google OTP is supported. If this option is selected, specify servers to apply MFA authentication to, based on tags.

      • Tag input method: Type the key and press Enter, then type the value and press Enter.

    • Entered tags are displayed as key = value. Servers possessing at least one matching tag will require MFA authentication for access.

  • Resource IP Access Control Configuration: Configure IP-based access control for allowed server connections.

    • Specify servers to apply IP access control to, based on tags.

    • This takes precedence over Roles or Direct Permissions assigned to Users/Groups.

    • Click the Add Configuration button to open a modal. Enter the following information and click the Add button to add the configuration (changes are not applied until the Save Changes button in the upper right corner is clicked).

    • image-20240829-095257.png

      • Server Tag Key : Enter the server tag key. Only one key can be applied at a time (Required)

      • Server Tag Value : Enter the server tag value. Only one value can be applied at a time (Required)

      • Allowed Zones : Select from the list of Allowed Zones (defined under General > Company Management > Allowed Zones). At least one zone must be selected if this option is used (Required).

  • Password Provisioning: Configure whether to use password provisioning.

    • Periodically change the server account passwords for registered servers.

    • If set to On, the following changes occur:

      • An option to select the account for password provisioning is added in Server Group settings.

      • The Password Provisioning menu is enabled, and Password change jobs can be registered.

      • The Account Management menu is enabled, providing the ability to view the list of server accounts managed by QueryPie.

  • Allow RDP Connection without Server Agent: Configure whether to allow RDP connections to Windows Servers where the RDP Server Agent is not installed.

    • Connect to Windows Servers via RDP protocol through QueryPie.

If connecting to a Windows Server without the RDP Server Agent installed, the following limitations apply:

  • You cannot control the account used for server access.

  • Only Server Access History is recorded; the server account used for Windows login is not recorded.

  • Command Audit and Session Recording are not performed.

  • It is recommended to use this option solely for the purpose of installing the RDP Server Agent. Auditing and recording will function correctly once the RDP Server Agent is installed and the remote connection is restarted.

Default Policy Settings for Server Permission Requests

Manage server access policies applied when assigning Direct Permissions through Workflow requests.

Warning

Policy content is applied based on the time the Workflow request is created. Changes to the access policy made after a request is approved will not retroactively apply to previously approved requests.

Users can obtain Direct Permissions for servers through a Server Access Request. For more details, please refer to Server Access Request.

image-20250512-111046.png

  • Protocols: Allowed protocols (Supported protocols: SSH, SFTP, TELNET, FTP, RDP, VNC).

  • Command Template: Command blocking template to apply upon connection.

    • The content of the selected Command Template can be viewed by expanding the Command Policy Detail accordion.

    • For information on creating and managing command blocking templates, refer to Command Templates.

  • Access Start Time: Permitted access start time.

  • Access End Time: Permitted access end time.

  • Access Weekday: Permitted days for access.

  • Command Audit: Enable command auditing upon connection.

  • Command Detection: Enable detection of prohibited commands within scripts/aliases after connection.

  • Proxy Usage: Allow proxy connections via Agent.

  • Allow Local Port Forwarding: Allow port forwarding from the client.

    • Use this option if using applications that require port forwarding, such as VSCode.

  • Max Sessions: Maximum number of concurrent sessions per server.

  • Session Timeout: Session timeout period (in minutes).

  • Show Server Groups in Workflow if Assigned as Member: If checked, only server groups to which the user is assigned as a member will be displayed when the user submits a Server Access Request.

  • Require Minute-Based Requests: Allows server-related permission requests in Workflow to be made in minute increments. If disabled, permissions are requested in day increments.

    • Server Access Request: If checked, allows server access permission requests to be made in minute increments.

    • Server Privilege Request: If checked, allows server privilege requests to be made in minute increments.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close