Secure your Endpoint Central server

Introduction

A cyberthreat actor has claimed that access to a few Endpoint Central server instances that were hosted as edge devices with weak password policies might be compromised. This document will explain the claim, the conditions under which an instance might be compromised, and the steps end users can take to harden their security. 

Related articles

What is the claim?

A cyberthreat actor has claimed that the Endpoint Central servers hosted as edge devices (publicly accessible) that do not have two-factor authentication enabled and use the default credentials to authenticate users might be affected. The claim made is only applicable if an organization’s Endpoint Central server satisfies all three conditions mentioned below.

How did we analyze the threat?

We were in touch with third-party intelligence firms to investigate this claim. (reference article)

Who does it target?

Only the Endpoint Central servers that meet all the below criteria are targeted:

  • The server is publicly accessible.
  • Two-factor authentication is not enabled.
  • The default admin username and password are used for logging in.

What should I do if I meet all three criteria?

Remediation:

  • Change the password for the admin account.
  • Enable two-factor authentication for all users.

Impact assessment:

  • Verify if any new unauthorized users have been created.
  • Check if there are any unauthenticated custom scripts or configurations deployed in your network.
  • Examine if there were any suspicious executables deployed in your network. It is highly recommended to monitor your firewall traffic for the past few weeks for any irregular behavior.
  • Similarly, you can analyze Endpoint Central’s Action Log Viewer and your network event logs for any peculiar behavior.

I don't meet all three conditions. However, can I tighten the security of my Endpoint Central server further?

Go to the Admin tab, and click Security Settings.

  • Enable Secure Login.
  • Enable Two-Factor Authentication.
  • Set a complex password policy.
  • Ensure the default admin passwords are always changed.
  • Enable secured communication for both LAN and WAN agents (HTTPS).
  • Disable the older version of TLS.

Note: 1) It is highly recommended that you enable Two-Factor Authentication in your Endpoint Central server.
  2) Please refer to our Security tips and recommendations document for enhanced security.

Frequently asked questions

How do I find if my setup was accessed using the default credentials?

  • Go to the Admin tab.
  • Under Global Settings, click User Administration.
  • Here, you can check whether any unauthorized users were created. Also, please check if existing users were modified.
  • You should also go to the Action Log Viewer to check for any suspicious behavior.

I have other administrator accounts along with the default account. Is my setup affected?

Yes, your setup might be affected as it has the default username and password. It is highly recommended that you remove or change the username and password of the default admin account. To do that, go to the Admin tab and select User Administration under Global Settings. Here, either change the password of the default admin account or remove the default admin account. To enhance the security of your server even more, go to the Admin tab, click Security Settings, and enable more of the options listed there.

I have the Secure Gateway Server configured; will this affect my central server?

Your server might be affected if the Secure Gateway Server's UI is enabled and the default admin username and password remains active in the central server. If you have configured your server that way, please reset your default credentials and enable two-factor authentication. This page will help you.

If you need assistance, our support team is always ready to help. Please reach out to us at uems-security@manageengine.com.

Click here to chat to us directly!