N‑central Hardening Part 2 (including some best practices)
By Jason Murphy
In my final blog as the Head Nerd for N‑central and now your newest Product Manager for N‑central, I thought it would be time to update my previous blog from July, 2021 and provide a few more details as to why hardening the N‑central server—and for that matter any on-premises server that has an operating system—is critically important.
First, N‑central is a hardened appliance when installed on Bare Metal hardware (physical server), as a virtual machine in Hyper-V, VMware, Oracle Virtual boot, Microsoft Azure, and Amazon Web Services. We can say that it is a hardened appliance because only N‑able has access to the backend of the N‑central server and we only expose the WebUI to you so you can Remotely Monitor Manage and Automate your devices using the front-end of N‑central.
As a team, we are always working to maintain and update the architecture of N‑central so it continues to be among the best and most secure RMM in the industry. Some of the questions I will be trying to answer over the next year as a Product Manager are these:
- How do we keep all of the software components, operating system, and the overall security of the N‑central server up-to-date and free of vulnerability exposures?
- How do we stay fast and agile in a high-paced industry that requires features, integrations, and in-depth and flexible reporting quickly to stay ahead of our competitors?
- How do we ensure that N‑able N‑central is the market leader for RMM in the world and what are we going to do to continue to enable our partners to be the best MSPs in the marketplace?
- How do we allow our major account partners, who require full-blown IT service-management solutions, to stay away from restricting PSA solutions so they can adopt and integrate technologies that are going to enable them to be the best IT departments on the planet?
- How am I going to prioritize all these important things and communicate that importance to our senior leadership and executive team members so we can make informed decisions?
The above five questions I will undoubtably need your help with, specifically as it relates to N‑central hardening. However, in the mean time, there are a few things I recommend you do on your on-premises version of the N‑central server to help ensure it remains secure. These include:
Implement a Web Access Firewall (WAF)
Many of our partners are using vendors like Cloudflare and FortiGate for WAF and those two seem to be the most popular based on the feedback I have gotten from our partners. Please note, as of writing this document, there is a known issue with Cloudflare and our integrated products like Sentinel One, Intune, and DNS Filter due to the communication protocol (gPRC) that the ecosystem agent uses for those integrations.
Change the port on which you access N‑central
Did you know that you can change the front end of the N‑central server to another port? Which then only allows you the MSP to access the N‑central server securely over LAN or VPN. Please note, as of writing this document, this is currently in still a preview phase and you can request access to this feature if you email [email protected]
Block SSH and port 20 over WAN
This one is pretty much no-brainer, but it must be said: do not expose SSH to the internet unless specifically requested to do so and it should be quite temporary. Then, of course, block it again when any troubleshooting is done. Oftentimes, our N‑central support team needs to run commands to be able to fix a problem.
Block port 10000 over WAN
Currently, the N-Central Admin Console (NAC) runs on this port. It should only be accessible via LAN and not WAN.
And one for the future, set up SSO
I had the first demo with Matt Miller, one of our newest product managers for N‑central responsible for the SSO and OpenID connect project. While this is not in beta or in a preview stage, we are all very excited about being able to use Azure SSO as our Identity provider this year. It looked amazing.
Here are my top 10 recommendations for N‑central hardening:
|
Recommendation |
|
Additional info |
|
Disable Port 10000 over WAN |
|
Behind your firewall, ensure that only port 10000 can be accessed via LAN. Note we will be moving the NAC to the UI later this year. |
|
Disable Port 22 over WAN |
|
Only open this up if requested to do so by N‑able support; otherwise I would be blocked on WAN. |
|
Implement a Web Application Firewall |
|
If you are using integrated EDR, DNS Filter, Intune, unfortunately this is not configurable in some WAFs due to our requirement of gPRC. |
|
Audit your N‑central users monthly |
|
Have a team member who can verify active versus non-active accounts. |
|
N‑central Browser timeouts |
|
Ensure a default setting no higher than 60 minutes. |
|
2FA enabled across all accounts |
|
There should not be a single user in your N‑central that does not have 2FA. |
|
Disable the N‑able support account when not in use |
|
Turn on the N‑able support feature when requested to do so. |
|
Review the server setting for password complexity |
|
Does this match your standard you set for your customers? |
|
Ensure you have the N‑central Server backed up daily over nights |
|
If you’re hosted we do this for you but if you are running on-premises, ensure you have backups configured. |
Jason Murphy is the N‑central Automation Nerd at N‑able. You can follow him on reddit on r/nable or Twitter at @ncentral_nerd.
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.