Recently there has been a lot of focus on MSPs being targeted by Ransomware/Attacks in forums, groups and in general conversation. I have created this article to try and help people to improve their security standards of their MSP Tools, although mine are primarily ConnectWise, some of these points will fit any solution. According to articles, there were at least 13 MSPs whos PSA/RMM/Remote Control software was breached and then used to deploy ransomware to their clients. If your RMM software is breached, deploying a payload is almost too easy to do.
General Practices for All
- Do not publically post your RMM URL anywhere. You shouldn’t have any URLs indexable/searchable by any search engines.
- If you’re self-hosted, ensure that all ports that aren’t required are closed. Also, block any geographical locations/countries that your RMM won’t be used in.
- Adopt the POLP (Principle of least Privilege) to ensure that any users don’t have any permissions that they don’t need.
- Review any additional modules/3rd party software such as Plugins, Software/API Keys that are used.
- Enable Multi-Factor Authentication (MFA). Most, if not all RMM/PSA products will have support for this. Services like Azure MFA and Duo are great products that work with minimal disruption.
- Ensure long, secure passphrases are set. passphrases are strings of words, generally, they are easier for you to remember and harder to guess.
You can also merge phrases and use the initials of a phrase to create a password, for example The Quick Brown Fox Jumped Over The Lazy Dog could be abbreviated to tqbfjotld and the phrase An Arm and A Leg could become the passphrase ‘An Arm and tqbfjotld A Leg‘
For ConnectWise Automate, you can configure MFA quite easily. Head over to System > Solutions > Solution Center. Within the Security module, you can choose from Google Authenticator, Duo, AuthAnvil, etc. Once you’ve installed one, Browse to System > Solutions > Plugin Manager to enable your chosen plugin. Restart the DB Agent and reload the System Cache to view your plugin.
If you browse to System > Users & Contacts > User Class Manager you can quite easily see user roles and their permissions.
As a rule, I have one Super Admin account that I only use when I require the elevated priviliges, other than this I work from my account with ‘Help Desk Users’ permission.
To my knowledge, the only two methods of enabling 2FA with Manage is via Google Authenticator and AuthAnvil. Check out this article on Google Authenticator and this article on AuthAnvil. You can also enable 2FA within the ConnectWise Portal
ConnectWise Control (AKA ScreenConnect) was used to infect devices with Zeppelin Ransomware recently. It’s such a powerful tool that often runs in the background unknown to many users. Many ConnectWise Automate instances come with Control built-in, you can access this by browsing to your Automate URL with :8040 at the end.
To enable Google Authenticator in Control, you need to visit this article. It will ask which type of user you have, and then generate a QR Code and a key for you to insert into your user’s account, be it an internal user, LDAP User or Active Directory.
For some further reading on Ransomware affecting MSP, check out these articles/posts:
- ZDNet – At least 13 managed service providers were used to push ransomware this year
- MSSPAlert – Big MSP Suffers Ransomware Attack
- Reddit – Synoptek MSP hit by ransomware
Please get in touch to let us know if you have any suggestions on how we can improve these articles