{"id":20782,"date":"2021-07-06T17:46:14","date_gmt":"2021-07-06T16:46:14","guid":{"rendered":"https:\/\/www.n-able.com\/?p=20782"},"modified":"2021-07-06T21:58:00","modified_gmt":"2021-07-06T20:58:00","slug":"hardening-n-able-rmm","status":"publish","type":"post","link":"https:\/\/www.n-able.com\/de\/blog\/hardening-n-able-rmm","title":{"rendered":"Hardening N‑able RMM"},"content":{"rendered":"

When security is done well it\u2019s not always convenient. Advanced security can sometimes even mean minor inconveniences to MSPs and their employees. But the rise in ransomware attacks requires improved security measures and harder environments, making small inconveniences worth it in the long run. In this blog I\u2019ll look at some options for how you can harden your N‑able\u2122<\/sup> RMM dashboard.<\/span><\/p>\n

Multifactor authentication<\/span><\/h2>\n

As easy as multifactor authentication (MFA) is to enable, the need to have your smartphone near so you can retrieve a passcode is enough of an inconvenience that some users are resistant to using it, even within an MSP. The power that MFA provides to prevent unauthorized access, however, is worth it. <\/span><\/p>\n

Why use MFA? Everyone is aware that phishing emails, trojans, RATS, and keystroke loggers can facilitate the exfiltration of a user\u2019s credentials. System administrators, help desk support technicians, and other IT roles are not immune to these types of attacks. If you\u2019re not using MFA in your own organization, once an attacker has those credentials, the barriers preventing them from exploiting those credentials are significantly reduced. MFA improves protection against the threat of an attacker having access to your RMM dashboard because they have a user\u2019s email address and password. The five minutes a day spent retrieving MFA passcodes is well worth the additional protection they provide. <\/span><\/p>\n

Read more on setting up MFA in RMM here<\/span><\/a>.<\/span><\/p>\n

Restrict access based on IP<\/span><\/h2>\n

By default, N‑able RMM<\/span><\/a> will ask you to confirm your identity via an email when you log in from a new IP address for the first time. Anyone who uses RMM has seen these emails and some consider them to be inconvenient. This is another situation where the occasional email may be inconvenient, but they do serve an important function of ensuring logins from new IP addresses have to pass an additional \u201cproof of identity\u201d check. There is a way to overcome the downside to the auto-detect new IP by using a list of approved IP addresses instead. <\/span><\/p>\n

Why restrict access to RMM with an IP list? Like with MFA, the purpose of IP restriction is to prevent an attacker who obtains credentials for your RMM from logging in with only those credentials. If an attacker has obtained a user\u2019s RMM login credentials, they may also have access to that user\u2019s email account. This would allow them to successfully defeat the auto-detect new IP email verification. By disabling the auto-detect feature and using a pre-approved list of IP addresses instead, you can restrict access to your RMM from only those pre-approved IP addresses. <\/span><\/p>\n

There are convenient and less convenient ways of dealing with your pre-approved IP address list. One is to ensure all RMM dashboard users access the RMM from a centralized location. This could be physically from your main office or from VM jumpboxes if users are working from home. Another option is to have all RMM dashboard users obtain static IPs from their ISP. This does carry additional cost, but it can be worth the improved security posture.<\/span><\/p>\n

Read more about setting up an approved IP address list here<\/span><\/a>.<\/span><\/p>\n

Session timeout<\/span><\/h2>\n

Technicians and system engineers are always in high demand and can be pulled in different directions at a moment\u2019s notice. Even though best practice is to lock your workstation when you are away, humans are fallible creatures and we sometimes forget. N‑able RMM can time out a user\u2019s session after some time to improve security. <\/span><\/p>\n

Why use session timeouts? For those who are impatient they can be another inconvenience. The frustration of having to log in and retrieve an MFA passcode multiple times a day can quickly lead some to disable the session timeouts. This, of course, weakens the security due to users potentially being left logged in long after they are no longer present. This could be an unlocked public workstation that a field technician logged in to while on-site or it could be a system account left open, either of which could be compromised by an attacker allowing them access to your dashboard.\u00a0<\/span><\/p>\n

Session timeouts don\u2019t happen unannounced, so as long as a user is actively using the RMM dashboard their session will stay open, and they will receive a warning prior to the session being closed. <\/span><\/p>\n

Learn more about session timeout settings here<\/span><\/a>.<\/span><\/p>\n

Follow least privilege for permissions<\/span><\/h2>\n

A core tenant of IT security is giving users the least amount of privilege needed for them to perform their work. N‑able RMM has an expansive set of permissions to help control what a user can see or do within the RMM.<\/span><\/p>\n

Why restrict a user\u2019s capabilities in RMM? Just as all IT staff don\u2019t receive enterprise admin permissions on a domain, not every user should have all permissions enabled in RMM. While it\u2019s convenient to have any user have the capability to do anything at any time in RMM, that also creates a larger attack surface than is warranted. A prime example of a permission you shouldn\u2019t give to all users is the ability to upload new automated tasks or scripts. Junior technicians or malicious actors with the ability to upload new scripts to RMM can cause serious harm. Restricting this permission to only a single account can improve security and it can also improve quality control in the environment, by forcing any new tasks or checks added to be vetted.\u00a0<\/span><\/p>\n

There are a large selection of permissions in N‑able RMM. It will take more than just a few minutes to review them all but it is worth the time. <\/span><\/p>\n

Learn more about permission in RMM here<\/span><\/a>. <\/span><\/p>\n

Practice good cyberhygiene and security in-house<\/span><\/h2>\n

A chain is only as strong as its weakest link. An MSP should always endeavor to make sure internal operations and security don\u2019t allow intrusions into managed environments. Following a robust security framework can help you dial in your processes and technical controls to improve your own security as well as expose opportunities for expanding your portfolio of services. <\/span><\/p>\n

Summary<\/span><\/h2>\n

While security is a never-ending endeavor that requires constant vigilance and resources, there are things you can do today to improve the security of N‑able RMM:<\/span><\/p>\n