Fortify your Device Control server

Device Control Plus is an enterprise software that leverages device control and file action management features to fortify endpoint security.

Best security practices

Device Control Plus immediately releases the security patches for identified security issues. Follow the Security Updates group and the Security Updates on Vulnerabilities section in our Knowledge Base to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification to receive notifications on any security incident without delay.

Note: It is highly recommended to
1) Update your Device Control Plus server to the latest build.
2) Grant access to the Device Control Plus folder only to authorized users.

3) Use proper firewall and Anti-virus software and keep them up-to-date to get accurate alarm.
4) Delete unused accounts:
i. From Device Control Plus: Delete unused user accounts from Endpoint central server's product console and from the machine where the Device Control Plus server is installed.
ii. From MSSQL server: If you have configured MSSQL, then it is recommended to remove any unused account from the MSSQL server installed machines as well.

Secure the access to Device Control Plus

Securing the login access to Device Control Plus, can prevent security issues involving roles and permissions.

Security Settings

To fortify the login access, go to the Admin tab, and click Security Settings.

Under Secure Login,

  • Remove default admin account

    The default admin account should be removed after the first login.

  • Enable Secure Login (HTTPS).

    All communications between the Device Control Plus server and the agents will take place using the HTTPS protocol after enabling this option.
    Note: In addition, disable the 8020 port in firewall in your network

  • Use Third Party SSL Certificate

    It is recommended to configure Device Control Plus with a trusted third party certificate to ensure secured connections between desktops and servers. However, for secured communication using HTTPS, a default certificate will be provided along with the server.

  • Enforce Two Factor Authentication

    Having a second level of verification for technicians ensures that unauthorized access is prevented.

  • Set Complex Password

    Setting a complex password policy allows users to configure unique passwords that are tough to crack. The more complex a password policy is, the more combinations there will be.

  • Restrict users from Uninstalling the Agent from Control Panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping Agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

Under Secure agent server communication,

  • Enable Secured Communication (HTTPS) for LAN and WAN agents

    HTTPS protocol for both LAN and WAN agents ensures that the communication between the agents and the server is always encrypted.

  • Use Secure Gateway Server

    It is highly recommended to host the Device Control Plus server in a corporate network protected by firewall restrictions and other security measures. If there are several roaming users and remote offices, then you can use an additional component, called the Secure Gateway Server. Secure Gateway Server is a reverse proxy solution that acts as a bridge between the WAN agents and the Device Control server. It prevents the need for the Device Control server to be hosted as an EDGE device to manage roaming users.

  • Disable the older versions of TLS

    For improved security, it is advisable to use the newer version of TLS, instead of using the older ones.
    Note    : Users cannot manage devices running on legacy OS platforms (Windows XP, Vista, Server 2003 and Server 2008) after disabling the older version of TLS.

Module-wise methodical steps to enhance security:

General

Miscellaneous

    Go to the Admin tab,

  • under Database Settings, click Database Backup. Here, schedule a time at which the database should back up every day. You can also set the number of backups to be stored, beyond which the backups will be deleted automatically. It is highly recommended to receive notifications about the database backup failure. Furthermore, secure the database backup using a password.
  • under SoM Settings, click Agent Settings. Here, enable the Restrict users from Uninstalling the Agent from Control Panel and the Restrict users from stopping Agent service options.
  • under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
    Here, opposite to both Configure Export Settings and Configure Scheduled Report Settings, choose Remove Personal Information.
  • Set the session timeout as minimum as possible
  • In the web console, click the user profile picture at the top right and click Personalize. Here, set a minimum possible period for Session Expiration.
  • Monitor the active sessions on the Device Control Plus web console and close the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not share the Device Control Plus agent registry and logs to anyone except Device Control Plus Support.

It is highly recommended for Device Control Plus users to follow the guidelines in this document. In particular, safeguarding the server by configuring the Security Settings. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.