[comment]: # ({c16c09cf-cebf8306}) # 1 Access control [comment]: # ({/c16c09cf-cebf8306}) [comment]: # ({88806b0c-c4f0ac9a}) #### Overview This section contains best practices for setting up access control in a secure way. [comment]: # ({/88806b0c-c4f0ac9a}) [comment]: # ({2acc8f22-dc572a02}) #### Principle of least privilege User accounts, at all times, should run with as few privileges as possible. This means that user accounts in Zabbix frontend, database users, or the user for Zabbix server/proxy/agent processes should only have the privileges that are essential for performing the intended functions. ::: noteimportant Giving extra privileges to the 'zabbix' user will allow it to access configuration files and execute operations that can compromise the infrastructure security. ::: When configuring user account privileges, Zabbix [frontend user types](/manual/config/users_and_usergroups/permissions) should be considered. Note that although the *Admin* user type has fewer privileges than the *Super Admin* user type, it can still manage configuration and execute custom scripts. ::: noteclassic Some information is available even for non-privileged users. For example, while *Alerts* → *Scripts* is available only for *Super Admin* users, scripts can also be retrieved through Zabbix API. In this case, limiting script permissions and excluding sensitive information from scripts (for example, access credentials) can help avoid exposing sensitive information available in global scripts. ::: [comment]: # ({/2acc8f22-dc572a02}) [comment]: # ({20fbd0fe-1631be73}) #### Secure user for Zabbix agent By default, Zabbix server, proxy, and agent (or agent 2) processes share one `zabbix` user. To prevent Zabbix agent/agent 2 (running on the same machine as server/proxy) from accessing sensitive details in the server/proxy configuration (for example, database credentials), the agent should be run under a different user: For Zabbix agent: 1. Create a secure [group and user](/manual/installation/install/sources#2-create-user-account) (e.g., `zabbix-agent`). 2. Set this user in the agent configuration file [User](/manual/concepts/agent/agentd_params#user) parameter. 3. [Restart agent](/manual/concepts/agent#if-installed-as-package) to drop privileges to the new user. For Zabbix agent 2, the configuration must be applied at the [service](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html) level, because the [agent 2 configuration file](/manual/concepts/agent2/agent2_params) does not support the `User` parameter. For an example, see [ZBX-26442](https://support.zabbix.com/browse/ZBX-26442). [comment]: # ({/20fbd0fe-1631be73}) [comment]: # ({582edb84-c02c850f}) #### Revoke write access to SSL configuration (Windows) If you have compiled Zabbix agent on Windows, with OpenSSL located in an unprotected directory (e.g., `C:\zabbix`, `c:\openssl-64bit`, `C:\OpenSSL-Win64-111-static`, or `C:\dev\openssl`), make sure to revoke write access from non-administrator users to this directory. Otherwise, the agent loads SSL settings from a path that can be modified by unprivileged users, resulting in a potential security vulnerability. [comment]: # ({/582edb84-c02c850f}) [comment]: # ({b96222b8-0f084225}) #### Hardening security of Zabbix components Some functionality can be switched off to harden the security of Zabbix components: - Global script execution on Zabbix server can be disabled by setting `EnableGlobalScripts=0` in [server configuration](/manual/appendix/config/zabbix_server). - Global script execution on Zabbix proxy is disabled by default (can be enabled by setting `EnableRemoteCommands=1` in [proxy configuration](/manual/appendix/config/zabbix_proxy)). - Global script execution on Zabbix agents is disabled by default (can be enabled by adding an `AllowKey=system.run[,*]` parameter for each allowed command in [agent configuration](/manual/appendix/config/zabbix_agentd)). - User HTTP authentication can be disabled by setting `$ALLOW_HTTP_AUTH=false` in the [frontend configuration file](/manual/installation/frontend#install) (`zabbix.conf.php`). Note that reinstalling the frontend (running `setup.php`) will remove this parameter. [comment]: # ({/b96222b8-0f084225}) [comment]: # ({330e0135-95fd0cfc}) #### UNC path access on Windows by Zabbix agent Zabbix agents on Windows follow UNC paths (SMB shares like `\\server\share\file.txt`) in items like `vfs.file.*`, `vfs.dir.*`, `modbus.get`, and `perf_counter*`. This can be a security risk in some contexts. When Windows is asked to access a UNC path, it tries to authenticate on that server. This means that a malicious request to Zabbix agent can expose the NTLM hash to the requesters server. Users can mitigate this with [AllowKey](/manual/concepts/agent/agentd_params_win#allowkey), [DenyKey](/manual/concepts/agent/agentd_params_win#denykey) configuration parameters if they need to. [comment]: # ({/330e0135-95fd0cfc})