Friday, November 11, 2011

Managing your RemoteManagement: Security Best Practices



Updated by David Ianetta

The default setup of MSP RMM is perfect for a one-man shop, where all installations, actions and policy decisions are performed by the same person. However, once you move into a multi-user system, the following must be considered:


  • Privilege: who can shape your processes, and who must work within the boundaries of those processes?
  • Access:  who is allowed access to your system, and how do you rescind that access at a later time in the event of employee turnover?
  • Accountability: how can you determine who has done what in the event something has gone wrong?
You can have such a system implemented in MSP RMM in less than 5 minutes! Follow these steps:

Dashboard users added with varying clearance. PAK access can then be disabled
  1. If this is not already the case, the Primary Access Key (PAK) account needs to be mapped to a valid, generic email address such as agent@yourdomain.com or support@yourdomain.com. This will free up the manager email address sometimes associated with the PAK from when the trial was started. You will need to submit a support request to swap out your PAK
  2. The manager email address can now be added to the dashboard as a superuser (settings > users), allowing the manager his/her own top-level access to the system
  3. Any employees who are to be granted dashboard access can now be added to the user list as well, and granted varying levels of permission: 
    1. SuperUser (highest level): This clearance can craft system-wide policy, approve new add-on technologies such as Managed AV or Patch Management for deployment, manage users, and add Scripts to the DashBoard in addition to everything available to the lower levels of clearance.
    2. Administrator (mid-level): Make changes to settings, manage checks, add Automated Tasks, Clear Checks and initiate Take Control sessions or configure Patch Management and Managed AV policies once enabled by a superuser
    3. Standard (low-level): "View-only" access, download Agents for installation
  4. With all users now given their own levels of access, the PAK login/password should no longer be allowed dashboard access (also in settings > users). Once this is done, the PAK account is used for installing agents only

As a result of these changes:
  1. Nobody can use the PAK to enact any changes or view any information in the dashboard. The PAK account information can now be distributed to employees for the purpose of agent installation without any security risk concerning unauthorized dashboard access
  2. In the event an employee leaves the company, their ability to access your dashboard and by extension your customers can be removed by deleting their username from the dashboard
  3. With every user possessing their own credentials, full accountability and review can be achieved by accessing the User Audit Report in the dashboard
    User Audit Report showing all actions taken by dashboard users
By setting this system in place, you can rest assured that you have implemented the Management in your MSP RMM dashboard.

2 comments:

  1. Cool, and what prevent the employee that left from installing agents everywhere just to annoy his previous employer?

    ReplyDelete
    Replies
    1. Good point - that could be a consideration, yes. But what's better is that we've already taken care of it. This article is a bit old; the new release of the dashboard last week implements a new password policy where any & all passwords can be changed by the account holder(s). Please see MAX Status (http://status.maxfocus.com/2015/01/14/max-rm-dashboard-v5-53-release-new-features/) for more information.

      Delete