I was recently asked if there were any best practices uses the challenge response tool with EPM where there’s the software and the key. While we do have some documentation around how to use it, I feel this warranted a quick notes of practices I recommend based on seeing this live in some environments.
Tip 1: Put the shared key in a vault
The shared key is something that should be protected as anyone with the response code generator tool can generate the code. That’s by design, so please protect the shared keys in a vault. Or other encrypted method that’s not in the company’s documentation portal.
Tip 2: Restrict who can run the response code generator
Even though the response code generator needs access to get the installer, it’s good to restrict who can run the response code generator as a layer of friction in the policy. Ideally limited to the service desk only.
Other documents
This is a quick tips on the response code generator for trying to restrict it’s abuse outside of the desired use case.
For all other response code documentation, I highly recommend our KB articles:
- How to install and use the Response Code Generator for Endpoint Privilege Management
- Is the shared key for Privilege Management Response Code Generator recoverable
- How to delete "forever" response code sessions from a Windows endpoin
