This section contains best practices for setting up access control in a secure way.
User accounts, at all times, should run with as few privileges as possible. This means that user accounts in Zabbix frontend, database users, or the user for Zabbix server/proxy/agent processes should only have the privileges that are essential for performing the intended functions.
Giving extra privileges to the 'zabbix' user will allow it to access configuration files and execute operations that can compromise the infrastructure security.
When configuring user account privileges, Zabbix frontend user types should be considered. Note that although the Admin user type has fewer privileges than the Super Admin user type, it can still manage configuration and execute custom scripts.
Some information is available even for non-privileged users. For example, while Alerts → Scripts is available only for Super Admin users, scripts can also be retrieved through Zabbix API. In this case, limiting script permissions and excluding sensitive information from scripts (for example, access credentials) can help avoid exposing sensitive information available in global scripts.
By default, Zabbix server and Zabbix agent processes share one 'zabbix' user. To ensure that Zabbix agent cannot access sensitive details in the server configuration (for example, database login information), the agent should be run as a different user:
User
parameter.Zabbix Windows agent compiled with OpenSSL will try to reach the SSL configuration file in c:\\openssl-64bit
. The openssl-64bit
directory on disk C:
can be created by non-privileged users.
To improve security, create this directory manually and revoke write access from non-admin users.
Please note that directory names will differ on 32-bit and 64-bit versions of Windows.
Some functionality can be switched off to harden the security of Zabbix components:
$ALLOW_HTTP_AUTH=false
in the frontend configuration file (zabbix.conf.php). Note that reinstalling the frontend (running setup.php) will remove this parameter.