My colleague Lewis Pope, our head security herd, wrote an excellent blog last week about hardening N-able™ RMM. I thought it prudent, in light of recent developments, to do the same for the N-able N-central® product. A lot of it is common knowledge, but I wanted to put together a checklist so you can review the security of your N-central platform and ensure you’re meeting some of these best practices.
Security is not always convenient, it takes some work and sometimes it can really slow us down, especially when we have to authenticate and reestablish connections to continue what we’re working on. But the reality is that the threat landscape is real for the MSP channel and our customers, and you need to mitigate the risks involved.
If you’re hosted in our N-able cloud, it takes care of most of what I describe below. But if you’re like most of our partners running an N-central server, you’re probably doing so on-premises. These are steps I’ve personally completed when I worked for a large MSP, but I’ve highlighted which apply to hosted, on-premises, or both.
Configurations that apply to on-premises servers only
- Port restrictions: On your firewall, block port 10000 (Central Admin Console port) on WAN and only accessible to LAN only. Optionally, block port 22 for SSH access on WAN and access LAN only. Alternatively, you can block many other ports but be sure to reference the N-central security whitepaper here. Please note, port 443 and 5280 must be left open for agent communication and remote control.
- Under System > Administration > Users, confirm the N-able Support Account is disabled. Only toggle this account access on when directed by a support agent and make sure this support account is disabled when troubleshooting has concluded.
- Review the default password complexity rules in N-central to ensure they match the standard you enforce. When I do my N-central auditing, I often see this setting gets changed to passwords never expiring, or the lowest possible complexity. This can be set when you log in to the N-able administration console with the productadmin account.
- Web application firewall: While this is not a supported configuration currently, we do have partners using WAF and are doing so successfully. A partner has posted about this on the N-able subreddit with the instructions. You can read it here.
Configurations that apply to both hosted and on-premises partners
- Review employee user accounts quarterly and disable accounts as part of your employee off-boarding process. Your customers expect you to do this for them, you should do it for your business as well.
- Every user account should have 2FA enabled. No questions. This may seem like an inconvenience to employees, but they should also be used to this from other systems like Microsoft 365 and Azure.
- Look at your role-based permissions under Administration > Access Group and Roles and define new permissions that follow the principle of least privilege. Confirm these match the access to your customers and to areas of N-central that your employees require.
- Browser session timeouts need to be enforced on every single Admin account in N-central. Under System level and Service Org level > Administration > Users > click into each Login and under User Details > User Information and ensure that it’s set to no greater than 20 – 120 minutes. Review this quarterly, as the user can modify this setting.
Additional tips for on-premises servers
There are a few other important items that I wanted to include that don’t qualify as hardening per se but only apply to on-premises N-central servers. I strongly recommend implementing them in your organization.
- Make sure N-central and your MSP business do not have a site-to-site VPN to any of your customers for any reason. Most MSPs don’t but there are a few that still do this. I recommend revoking that practice.
- If you run N-central virtualized in HyperV, consider setting up redundancy/failover for high availability.
- Ensure that you have FTP backups using the native backup functionality in N-central under System > Administration > System Backup and Restore > Configure Backup. Make sure these settings are complete and that backups are successful. Test you restores.