Itarian security. Geoblocking and/or only from certain IP addresses

Hello,
I see a lot of hacking activities nowadays.
I want to secure my portal access by something like Geoblock or that I only can login from certain IP addresses.

Can you tell me how that can be setup?

If it isn’t implemented, can that be implemented?
This is a security platform and there MUST be some mechanism to tighten the security and access to the platform.

Like I also asked earlier:
If your account has been compromised, anyone can launch devastating scripts on ALL devices.
Can you implement a setting per device where you can disable scripting from the platform?

But please tell me how to secure access only from my IP address.
I can also dm my IP to support so they can pin it from that address.

Regards.

1 Like

Hi @ailan

At present we do not have any Geo location blocks built-in to the platform.

We do have password settings and MFA for the platform, quick snippet of the controls are shown below
image
image

In response to some of your messages please see below: -

If it isn’t implemented, can that be implemented?

We are happy to look at items like this, but please request them via https://feedback.itarian.com


This is a security platform and there MUST be some mechanism to tighten the security and access to the platform.

We are an RMM and Business Management platform, security is a plugin to our system in a tight and seemly fashion. That being said we do take security of our platform extremely seriously and do already have blocking of IP’s in place for certain behavior’s.


Something we have been looking at internally is a presence sensor using a BLE (Bluetooth) dongle, so we could look at not only authentication for your staff but possibly to look at future services like login authentication.

What are your thoughts on that?

Hi @RT-AMS-ITarian ,

Thank you for your reply.
I’m aware of the 2FA but with all the hacking activities nowadays, 2FA alone is not enough for an ‘Enterprise IT System Management’ platform.

Like I stated: if someone can enter your account, they can launch some really bad scripts on ALL systems at once.

What I would like to see is if you can add an option where you can ‘Disable’ scripting or procedures for a device.
For example on a server:
I would like to monitor the server with the default functions, but I don’t want any other 3rd party scripts enabled or run on that machine.
Otherwise any hacker can run a simple script like “format d:” on all the devices.
And you don’t want that on any server.
So such an option is very crucial in my opinion.

And regarding logging in from reserved IP addresses, could also was already in the making:
See post from feb 2020: Link.
First we will be adding IP restriction and then we will add additional 2FA methods. They will be completed until June.”
So it should be already scheduled so no ‘feature request’ should be needed.

But until then, I’m very eager to hear about using a BLE and I would like to use that ASAP. Can you please tell us more and the ETA?

For the time being, isn’t it possible for you to put manually some ‘allowed’ IP addresses for us where we can login from?

The sooner the security is tightened, the better.

For now, I think that I will uninstall the agents from servers.

Regards

1 Like

Hi @ailan

Thank you for coming back to me on this.

Unfortunately the link you sent was for a forum post which is not a feedback request; so this will not be on the radar to be progressed in anyway, if you can make a request on https://feedback.itarian.com/ we can progressing this for you.

A little bit of background is how things ran back in 2020 was not the cleanest and efficient at all, and unfortunately lots of promises for features were made and never kept as they could not be tracked; and this is why we have the new feedback system I helped put in-place.

On the BLE side we are in conversations with a home automation company that are in the process of releasing a BLE scanner to report back to their system giving “presence” information.

Initial ideas on how to use this have been in conjunction with our MDM to say if mobile in office they can login for instance. Taking this further, we have been asked about desktop user authentication and desktop policy control and this could be used as part of this. (I’m not saying we are adding these features, but they certainly are being discussed internally)

The BLE idea is almost endless to what it could do, and I must stress that this is extremely early days as in initial discussions finished hours before I saw your forum post.

Other initial thoughts on usage are: -

  • Monitors to be active or not.
  • Change networking to use VPN / Proxy / ZTNA when not in the office.
  • Only run certain procedures when in the office.

I hope this explains and gives you food for thought, and of course any ideas and possibilities for it’s use we are all ears.

1 Like

Hi @RT-AMS-ITarian ,

The earlier posted link wasn’t a fedback request but it was mentionted that it should be implemented already. Work was in progress.
Can you check the status regarding that point? Maybe it can be implemented on short notice instead of walking the procedure from beginning like requesting as a feature.

The mentioned ideas behind the usage of the scanner looks nice. But looks like it has more usage for the clients.
Regarding an MSP Admin-user it can complement, but one thing that’s crucial is to tighten the security.
If I’m only working from office, I don’t need the ability to login from other parts of the world. 2FA tokens can be hacked and pulled out of your browsers or phones so as an admin, we really need more than what we now have.
Like I stated, In case an external person can login, they can do a lot of harm on ALL systems and servers. Hope you can follow my point and see that we need to take more security-measures. ASAP.
I will make a feature request to login from reserved IP addresses and for a button so no critical scripts can be executed.
But what baffles me is that something so crucial and, nowadays, very common, feature has to be requested. It should already be implemented or thought of…
So, can you please check the internal status regarding earlier mentioned ‘feature’?

Thanks

1 Like

Hi @ailan

As promised on the feedback site (link below), I’m coming here to provide a little more security based items you can do to stop the issues your raising here.

1.) When you sign up to our platform, we make the initial email address the “Account Admin” which basically has god powers to configure and make the system yours. I’m sure this is similar on most platforms, even systems like Microsoft 365 do the same!

So the first thing to do here is make sure this is a email address and use that is not going to be used every day, this then reduces the access to the system and potential leaking of more sensitive access.

2.) Make sure you have a good password policy and configuration used so passwords are not easy to guess and meet a good level of complexity.

3.) With the procedures, we do not have the ability to stop them being run on devices and this is something you would not want as procedures in ITarian are either

  • OS Update Routines
  • 3rd Party Application Update Routines
  • Scripts

That being said, you can modify the RBAC permissions inside Endpoint Manager to not allow users, tech’s and none trusted people from “approving” procedures.

No un-approved procedure can be run on a device, so if someone did manage to hack a tech’s account due to password leakage etc, then they will not be able to run any non-approved bad scripts.

I hope this helps!

Hi @RT-AMS-ITarian,

Thank you for your reply.

I only have one user: me. As MPS-Admin.
So no technicians or other users.
And for daily routines and checks, I have to login every day in the system.
I do change my password every week and use strong passwords.

Disable permissions by using roles is not enough because:

  1. I don’t have use any other users.
  2. Even if I do have more users or use another login for daily routines, if the admin account will be compromised, the most valuable devices like servers are exposed to bad scripts. You can start any script and inject bad codes.

So an option to disable scripting on a device would greatly help in this case.

To give you a bit a more insight:
On servers I only want to see if its on or offline and to use the remote control feature.
Therefore, I have to install the Communication client.
But with the Communication client you get a lot of more options which are not needed only to use remote control and see the status.
Even the scripting ability to corrupt or damage the whole server.

So to protect important devices it would be great if you can set an option to disable scripting.

Hope you see my point.

Regards.