When security is done well it’s not always convenient. Advanced security can sometimes even mean minor inconveniences to MSPs and their employees. But the rise in ransomware attacks requires improved security measures and harder environments, making small inconveniences worth it in the long run. In this blog I’ll look at some options for how you can harden your N-able™ RMM dashboard.
As easy as multifactor authentication (MFA) is to enable, the need to have your smartphone near so you can retrieve a passcode is enough of an inconvenience that some users are resistant to using it, even within an MSP. The power that MFA provides to prevent unauthorized access, however, is worth it.
Why use MFA? Everyone is aware that phishing emails, trojans, RATS, and keystroke loggers can facilitate the exfiltration of a user’s credentials. System administrators, help desk support technicians, and other IT roles are not immune to these types of attacks. If you’re not using MFA in your own organization, once an attacker has those credentials, the barriers preventing them from exploiting those credentials are significantly reduced. MFA improves protection against the threat of an attacker having access to your RMM dashboard because they have a user’s email address and password. The five minutes a day spent retrieving MFA passcodes is well worth the additional protection they provide.
Read more on setting up MFA in RMM here.
Restrict access based on IP
By default, N-able RMM will ask you to confirm your identity via an email when you log in from a new IP address for the first time. Anyone who uses RMM has seen these emails and some consider them to be inconvenient. This is another situation where the occasional email may be inconvenient, but they do serve an important function of ensuring logins from new IP addresses have to pass an additional “proof of identity” check. There is a way to overcome the downside to the auto-detect new IP by using a list of approved IP addresses instead.
Why restrict access to RMM with an IP list? Like with MFA, the purpose of IP restriction is to prevent an attacker who obtains credentials for your RMM from logging in with only those credentials. If an attacker has obtained a user’s RMM login credentials, they may also have access to that user’s email account. This would allow them to successfully defeat the auto-detect new IP email verification. By disabling the auto-detect feature and using a pre-approved list of IP addresses instead, you can restrict access to your RMM from only those pre-approved IP addresses.
There are convenient and less convenient ways of dealing with your pre-approved IP address list. One is to ensure all RMM dashboard users access the RMM from a centralized location. This could be physically from your main office or from VM jumpboxes if users are working from home. Another option is to have all RMM dashboard users obtain static IPs from their ISP. This does carry additional cost, but it can be worth the improved security posture.
Read more about setting up an approved IP address list here.
Technicians and system engineers are always in high demand and can be pulled in different directions at a moment’s notice. Even though best practice is to lock your workstation when you are away, humans are fallible creatures and we sometimes forget. N-able RMM can time out a user’s session after some time to improve security.
Why use session timeouts? For those who are impatient they can be another inconvenience. The frustration of having to log in and retrieve an MFA passcode multiple times a day can quickly lead some to disable the session timeouts. This, of course, weakens the security due to users potentially being left logged in long after they are no longer present. This could be an unlocked public workstation that a field technician logged in to while on-site or it could be a system account left open, either of which could be compromised by an attacker allowing them access to your dashboard.
Session timeouts don’t happen unannounced, so as long as a user is actively using the RMM dashboard their session will stay open, and they will receive a warning prior to the session being closed.
Learn more about session timeout settings here.
Follow least privilege for permissions
A core tenant of IT security is giving users the least amount of privilege needed for them to perform their work. N-able RMM has an expansive set of permissions to help control what a user can see or do within the RMM.
Why restrict a user’s capabilities in RMM? Just as all IT staff don’t receive enterprise admin permissions on a domain, not every user should have all permissions enabled in RMM. While it’s convenient to have any user have the capability to do anything at any time in RMM, that also creates a larger attack surface than is warranted. A prime example of a permission you shouldn’t give to all users is the ability to upload new automated tasks or scripts. Junior technicians or malicious actors with the ability to upload new scripts to RMM can cause serious harm. Restricting this permission to only a single account can improve security and it can also improve quality control in the environment, by forcing any new tasks or checks added to be vetted.
There are a large selection of permissions in N-able RMM. It will take more than just a few minutes to review them all but it is worth the time.
Learn more about permission in RMM here.
Practice good cyberhygiene and security in-house
A chain is only as strong as its weakest link. An MSP should always endeavor to make sure internal operations and security don’t allow intrusions into managed environments. Following a robust security framework can help you dial in your processes and technical controls to improve your own security as well as expose opportunities for expanding your portfolio of services.
While security is a never-ending endeavor that requires constant vigilance and resources, there are things you can do today to improve the security of N-able RMM:
- Enable MFA for all RMM users and for email access. More here.
- Restrict access to RMM to a list of pre-approved IP addresses. Consider having users log in from hardened VM images that are reset weekly or daily. More here.
- Enable session timeouts for RMM dashboard users. More here.
- Follow the principal of least privilege for user permissions. More here.
- Practice what you preach. Make sure your internal systems are properly patched, monitored, and protected by a next-gen endpoint protection tool with detection and remediation capabilities like N-able Endpoint Detection and Response (EDR). Ensure all users use a password manager to discourage reuse of passwords and enable auditing.
Lewis Pope is the head security nerd at N-able. You can follow him on