Locking Down Your RMM Platform
Despite how much attention is paid to an RMM system’s ability to allow technicians to manage multiple endpoints, little thought is given to the risks the management systems pose themselves.
Your RMM system needs armor! It needs to be locked down tightly. In this blog post we will take a look at the cost and effectiveness of three exceptional ways to lock down your RMM platform.
Access to an RMM can be effectively limited in three ways. You can limit access to the system by time, by limiting the ways in which technicians have access to the system, or by limiting their access within the system itself. Restricting when people can login to an RMM system is one effective way securing an RMM platform. Limiting your shift-working staff’s unfettered access to the times they would be on-shift is effective because it limits the windows of time an undetected attack could be made. Limitations could be placed on remote access, providing it only to those that need it based on the principle of least privilege. Finally, access within the RMM system could be limited based on what a technician needs to get their job done. If one member of staff is a scheduled nine-to-five road technician, then they likely only require remote access to some functionality of the RMM system, and even that would only be at specific times.
Effectiveness: Limiting access is a lot like installing metal shutters on a storefront. During your regular operating hours the shutter is open, allowing your staff unfettered access to the system. After hours the shutter is closed, but everyone who may need access has a key. Opening the shutter is loud and alerts everyone of your activity, and because of that the process is secure. This makes limiting access a highly effective process.
Cost: Free (...and yes, time is money.)
“Password1” is not a good password, as a reader of this blog you already know that. Does everyone else at your business know this though? Often, passwords are all that keeps those with negative intentions away from accounts with privileged access to a business’s RMM system. This means that weak or stale passwords pose a significant risk to an RMM system. There are two solutions to this, requiring Multi-factor Authentication (MFA) for those accounts, or strengthening password complexity requirements. MFA we will discuss next, for now let’s look at strengthening password complexity requirements.
Effectiveness: While limiting access is like installing metal shutters on a storefront, having strong passwords is like having locks on the front door. Shutters are not a substitute for locks, and vice-versa. If password management best practices are being followed, then those practices will greatly aid a business in locking down the accounts that have privileged access to an RMM system.
Cost: Free (Negligible amount of time to implement for most mainstream operating systems)
Multi-factor Authentication (MFA) is a form of security that requires a user to present two or more of the three possible authentication factors in order to authenticate themselves. Normally to log into an account a user must enter their username and password (knowledge factor). With Multi-Factor Authentication this process is supplemented with the addition of another factor like a fingerprint scanner (inherence factor) or a hardware key fob (possession factor).
Effectiveness: As these additional factors are hard to replicate, requiring them in conjunction with a password makes the entire authentication process extremely secure. As the second factor of authentication increases the number of successful guesses necessary to log into a system, this helps to mitigate the risk of a brute force attack. Incidentally, given that some additional factors of authentication do not require manual entry, MFA can also increase the difficulty of shoulder surfing or keylogging attacks. There are simply no keys to remember or keylog if none are pushed.
Cost: Solution dependant, but the benefits can often outweigh the costs.