Fortify your Patch Manager Plus server

Home » Security Hardening Recommendations

On-Premises

Cloud

Patch Manager Plus is an all-round patch management tool that automates your Microsoft and third-party patch management from a centralized console. In this document, we will provide you with some tips and tricks to harden Patch Manager Plus security.

Best security practices

ManageEngine Patch Manager Plus immediately releases the security fixes for identified security issues. Follow the Security Updates Group and the Security Updates on Vulnerabilities section in our Knowledge Base to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification to receive notifications on any security incident without delay.

Note: It is highly recommended to
1) Update your Patch Manager Plus server to the latest build.
2) Grant access to the Patch Manager Plus folder only to authorized users.
3) Use proper firewall and Anti-virus software and keep them up-to-date to get accurate alarm.
4) Delete unused accounts:
i. From Patch Manager Plus: Delete unused user accounts from Patch Manager Plus server's product console and from the machine where the Patch Manager Plus server is installed.
ii. From MSSQL server: If you have configured MSSQL, then it is recommended to remove any unused account from the MSSQL server installed machines as well.
5) Install Distribution Server in a dedicated machine with no other third party software in it. Only Authorized users should have access to this machine.

Secure the access to Patch Manager Plus server

Securing the login access to Patch Manager Plus, can prevent security issues involving roles and permissions.

Security Settings

To fortify the login access, go to the Admin tab, and click Security Settings.

Under Secure Login,

  • Remove default admin account

    The default admin account should be removed after the first login. This is because the technicians can use the default administrative credentials to access the Patch Manager Plus server. However, by disabling the default admin account, the technicians will only be able to access entities pertaining to their defined role. This in turn, reduces the security risks

  • Enable Secure Login (HTTPS).

    All communication between the Patch Manager Plus server and the agents will take place using the HTTPS protocol after enabling this option.
    Note: In addition, disable the 8020 port in firewall in your network

  • Use Third Party SSL Certificate

    It is recommended to configure Patch Manager Plus with a trusted third party certificate to ensure secured connections between desktops, mobile agents and servers. However, for secured communication using HTTPS, a default certificate will be provided along with the server.

  • Enforce Two Factor Authentication

    Having a second level of verification for technicians ensures that unauthorized access is prevented.

  • Set Complex Password

    Setting a complex password policy allows users to configure unique passwords that are tough to crack. The more complex a password policy is, the more combinations there will be.

  • Secure your Software Repository (Local network share)

    The local network share will contain all the software installation files. Access credential is use to grant access to the share to authorized users only.

  • Restrict users from Uninstalling the Agent from Control Panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping the Patch Manager Plus Agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

Under Secure agent server communication,

  • Enable secure communication (HTTPS) for LAN and WAN agents

    HTTPS protocol for both LAN and WAN agents ensures that the communication between the agents and the server is always encrypted.

  • Secure Remote Control and File Transfer operations

    Enable this option to secure the communication during Remote Control sessions and File Transfer operations.

  • Disable the older versions of TLS

    For improved security, it is advisable to use the newer version of TLS, instead of using the older ones. Note: By default, SSLV2 and SSLV3 protocols are disabled in Patch Manager Plus. Users cannot manage devices running on legacy OS platforms (Windows XP, Vista, Server 2003 and Server 2008) after disabling the older version of TLS. So if you are not managing such legacy Operating Systems, you can disable TLSv1 and TLSv1.1 from the security page.

  • Use Secure Gateway Server

    It is highly recommended to host the Patch Manager Plus server in a corporate network protected by firewall restrictions and other security measures. If there are several roaming users and remote offices, then you can use an additional component, called the Secure Gateway Server. Secure Gateway Server is a reverse proxy solution that acts as a bridge between the WAN agents and the Patch Manager Plus server. It prevents the need for the Patch Manager Plus server to be hosted as an EDGE device to manage roaming users. Refer this document for more details.

  • Enable Agent Server Trusted communication

    Trusted Communication can be enabled only after importing a third party certificate. Know more.

  • Enable certificate-based authentication for agent-server communication

    If enabled, the computers with the older agent versions will no longer be able to communicate. Ensure the agent versions are up to date. Know more.

  • Disable 64-bit week older ciphers

    If you are managing Windows XP and Windows Server 2003 operating systems, apply the Patch for Windows XP and Patch for Windows 2003.

Module-wise methodical steps to enhance security

Additional

General

Miscellaneous

Mobile App

  • Provide the root access only to trusted technicians in Redhat nominated machines to avoid sending malicious content, instead of meta files.
  • Provide the root access only to trusted technicians in Linux agents to avoid sending malicious URLs, instead of package URLs.
  • Scan the uploaded files in the Upload Patch option for any malicious files.
  • Go to the Admin tab, under Database Settings, click Database Backup. Here, schedule a time at which the database should back up every day. You can also set the number of backups to be stored, beyond which the backups will be deleted automatically. It is highly recommended to receive notifications about the database backup failure. Furthermore, secure the database backup using a password.
  • Go to the Admin tab, under SoM Settings, click Agent Settings. Here, enable the Restrict users from Uninstalling the Agent from Control Panel and the Restrict users from stopping Agent service options.
  • Go to the Admin tab, under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
    Here, opposite to Configure Export Settings, choose Remove Personal Information.
  • Go to the Admin tab and under User Administration, define and configure roles for users so that access is only granted to handle selected modules.
  • Set the session timeout as minimum as possible.
  • In the web console, click the user profile picture at the top right and click Personalize. Here, set a minimum possible period for Session Expiration.
  • Monitor the active sessions on the Patch Manager Plus web console and close the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not host the Distribution Server as an edge device.
    • not share the Patch Manager Plus agent registry and logs to anyone except Patch Manager Plus Support.
  • If you are using the Patch Manager Plus mobile app, please follow these guidelines:
  • Use HTTPS mode for the communication between mobile app and the server.
  • Enable the AppLock feature present in the mobile app under the mobile app settings page to ensure complete security while using the Patch Manager Plus app.
  • Go to the Settings page in the Patch Manager Plus mobile app and enable the Applock feature.

It is highly recommended for Patch Manager Plus users to follow the guidelines in this document. In particular, the Security Settings. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.

Patch Manager Plus Cloud is an all-round patch management tool that automates your Microsoft and third-party patch management from a centralized console. In this document, we will provide you with some tips and tricks to harden Patch Manager Plus Cloud security.

Best security practices

ManageEngine Patch Manager Plus Cloud immediately releases the security fixes for identified security issues. Follow the Security Updates Group and the Security Updates on Vulnerabilities section in our Knowledge Base to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification by following the steps: Navigate to Admin tab > Click on Privacy Settings > Submit e-mail address in the data breach notification form to receive notifications on any security incident without delay.

Note: It is highly recommended to
1) Use a proper firewall and Anti-virus software. Keep them up-to-date to get accurate notification in case of security breaches.
2) Delete unused accounts by navigating to Admin > User Administration > Dissociate the unused user account.
3) Install the Distribution Server in a dedicated machine with no other third-party software in it. Only Authorized users should have access to this machine.
4) Enable Multi factor authentication by going to the Admin tab > User Administration > Secure Authentication > Enable TFA.
5) Configure a complex password policy by going to the Admin tab > User Administration > Secure Authentication > Configure password policy.

Security Settings

Go to the Admin tab, and click Security Settings.

  • Restrict users from Uninstalling the Patch Manager Plus Cloud Agent from Control Panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping the Patch Manager Plus Cloud Agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

Module-wise methodical steps to enhance security

Account Settings

General

Miscellaneous

Mobile App

  • To prevent account takeover, configure the account settings by clicking on the user icon on the top right corner and click on My Account,
  • Under Security,
    • Change your account password regularly
    • Add a security question. You can use your secret answer to gain access to your account in case you forget your password.
    • Restrict access to your account by adding a range of trusted IP addresses.
    • Allow third-party applications like email clients, to access your account with unique application-specific passwords instead of using your account password.
    • Checkout the list of devices that have signed in to your Zoho account.
  • Under Multi-Factor Authentication (MFA),
    • Choose any MFA mode to add an extra layer of security to your account.
  • Go to the Admin tab, under SoM Settings, click Agent Settings. Here, enable the Restrict users from Uninstalling the Agent from Control Panel and the Restrict users from stopping Agent service options.
  • Go to the Admin tab, under Alerts, Configure alerts to notify about critical incidents, to enable immediate action.
  • Go to the Admin tab, under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
  • Here, opposite to Configure Export Settings, choose Remove Personal Information.
  • Go to the Admin tab and under User Administration, configure the roles to prevent access to restricted modules.
  • Monitor the active sessions on the accounts portal and close the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not host the Distribution Server as an edge device.
    • not share the Patch Manager Plus Cloud agent registry and logs to anyone except Patch Manager Plus Support.
    • report immediately any unintentional or weird behavior observed on the console to our Patch Management Support.
  • Enable the AppLock feature present in the mobile app under the mobile app settings page to ensure complete security while using the Patch Manager Plus app.

It is highly recommended for Patch Manager Plus Cloud users to follow the guidelines in this document. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.