Fortify your Endpoint Central server

On-Premises

Cloud

Endpoint Central is an endpoint management tool that manages your devices running on different Operating Systems from a central location. In this document, we will provide you with some tips and tricks to harden your Endpoint Central security.

Security Best Practices

Endpoint Central immediately releases the security patches for identified security issues. Follow the Security Updates Group and the Security Updates on Vulnerabilities section in our Knowledge Base to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification to receive notifications on any security incident without delay. You can also configure Personalized Security Settings to recieve security recommendations from Endpoint Central.

Note: It is highly recommended to
1) Update your Endpoint Central server to the latest build.
2) We strongly advise customers against granting access to the ManageEngine folder for non-administrative group users.
3) Use proper firewall and Anti-virus software and keep them up-to-date to get accurate alarm.
4) Delete unused accounts:
i. From Endpoint Central: Delete unused user accounts from Endpoint Central server's product console and from the machine where the Endpoint Central server is installed.
ii. From MSSQL server: If you have configured MSSQL, then it is recommended to remove any unused account from the MSSQL server installed machines as well.
5) Install distribution server in a dedicated machine with no other third party software in it. Only Authorized users should have access to this machine.
6)Configure Email address to receive security notifications from Endpoint Central.

Security Hardening Guidelines

Below are the security settings you can configure on Endpoint Central console to stay secure.

Security Settings

Basic

  • Subscribe to security advisory in-product

    Configure email address to receive security advisories from Endpoint Central.

  • Enable notification for security recommendations

    Get personalized Central server hardening recommendations via email.

  • Remove default admin account

    The default admin account should be removed after the first login.

  • Enable secure communication (HTTPS) for Central Server.

    This setting will enforce your Endpoint Central Server to accept responses that are in HTTPS mode only.
    Note: In addition, disable the 8020 port in firewall in your network

  • Enforce two-factor authentication

    Have a second level of verification for technicians to ensure unauthorized access is prevented.

  • Restrict users from uninstalling the agent from control panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

  • Enable secured communication (HTTPS) for LAN and WAN agents

    HTTPS protocol for both LAN and WAN agents ensures that the communication between the agents and the server is always encrypted.

Advanced

  • Use third-party SSL certificate

    Configure Endpoint Central with a trusted third party certificate to ensure secured connections between endpoints and servers. However, for secured communication using HTTPS, a default certificate will be provided along with the server.

  • Disable the older versions of TLS

    For improved security, it is advisable to use the newer version of TLS, instead of using the older ones.
    Note
    : Users cannot manage devices running on legacy OS platforms (Windows XP, Vista, Server 2003 and Server 2008) after disabling the older version of TLS.

  • Use Secure Gateway Server

    It is highly recommended to host the Endpoint Central server in a corporate network protected by firewall restrictions and other security measures. If there are several roaming users and remote offices, then you can use an additional component, called the Secure Gateway Server. Secure Gateway Server is a reverse proxy solution that acts as a bridge between the WAN agents and the Endpoint Central server. It prevents the need for the Endpoint Central server to be hosted as an EDGE device to manage roaming users.

  • Enable agent-server trusted communication

    Secure the communication between Central server and agents by enforcing identity verification during HTTPS communication. It can be enabled only after importing a third-party certificate. Learn more.

  • Enable certificate-based authentication for agent-server communication

    Enable client certificate authentication to validate the authenticity of agents that try to establish a connection with the server. Before enabling, ensure the agent versions are up-to-date, as older agents will not be able to connect with the server. Learn More.

  • Secure your database backup

    Configure this to encrypt the scheduled database backup with a password.

  • Secure software repository (Local network share)

    The local network share will contain all the software installation files. Access credential is use to grant access to the share to authorized users only.

Module-wise methodical steps to enhance security:

  • Provide the root access only to trusted technicians in Redhat nominated machines to avoid sending malicious content, instead of meta files.
  • Provide the root access only to trusted technicians in Linux agents to avoid sending malicious URLs, instead of package URLs.
  • Scan the uploaded files in the Upload Patch option for any malicious files.
  • Do not share the following to anyone:
    • Image Creator Component binaries
    • The Bootable Media file
    • The Deployment Passcode (when configuring the Deployment Task)
    • The Image File
    • The User Profile Backup (USMT)
  • Place the Image and Driver repositories in a password-protected Network Share
  • Use either the MAC Address of the target computer(s) or the unique four digit passcode to initiate deployment. This avoids sharing admin credentials.
  • Scan the installation files for malicious content when the post deployment activity involves installing applications.
  • When adding a new user during the Deployment Template creation, enable Complex Password and associate the local users to their respective target computers.
  • Under Settings, configure the passcode policy with a passcode length of 6 characters and an alphanumeric passcode pattern. This passcode will be used in deployment task, instant task, and standalone task.
  • Enable passcode lockout policy that will lock users out of deployment after the specified number of invalid passcode attempts.
  • Enrollment settings

    • For enrolling corporate-owned devices, use the following enrollment methods based on the supported platforms to ensure devices always remain under management even after being factory reset:
    • On corporate devices, the options to perform a factory reset and device wipe can also be restricted to prevent users from removing devices from management.
    • For Android devices, the Allow User to remove ME MDM App option should be disabled to restrict corporate devices that have not been enrolled using the above mentioned enrollment methods from being removed from management.
    • Enable the option to detect and remove jailbroken and rooted devices to ensure only compliant devices remain under management and access corporate data.
  • Inventory settings

    • Schedule regular device scans to ensure the device details remain up to date.
  • Device settings

    • Configure Device Privacy Settings to ensure only the details required by Endpoint Central for management and only the data permitted by the local and global compliance laws are stored on the server.
    • Configure the Terms of Use policies to be displayed to the device users and obtain their consent before collecting and storing device information on the Endpoint Central server to ensure user privacy.
  • Go to the Admin tab, under Tools Settings,
    click Port Settings and switch the Communication to HTTPS. Click Save.
  • click System Manager Settings.
  • Under Permission Settings, enable the permission to access the end user's File Manager and Command Prompt to only admins.
  • Under User Confirmation Settings, opposite to the Enable user confirmation for field, check the boxes for File Manager and Command Prompt.
  • Now, go to the Tools tab, click Remote Control, and switch to the Settings tab. Here, enable the Idle Session Settings. This allows the remote connection to either just disconnect or disconnect and lock the target computer automatically, when the connection is idle for a set period.
  • In the Remote Control tab, switch to the User Confirmation tab. Here, enable User Confirmation, set a time out period and provide a confirmation message. You can also Make User Confirmation Permanent. Click Save.
  • Note: After enabling the Make User Confirmation Permanent option, the confirmation dialog box will always be displayed and this cannot be reverted even by administrators.
  • Go to the Admin tab, under Database Settings, click Database Backup. Here, schedule a time at which the database should back up every day. You can also set the number of backups to be stored, beyond which the backups will be deleted automatically. It is highly recommended to receive notifications about the database backup failure. Furthermore, secure the database backup using a password.
  • Under SoM Settings, click Agent Settings. Here, enable the Restrict users from Uninstalling the Agent from Control Panel and the Restrict users from stopping Agent service options.
  • Under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
    Here, opposite to both Configure Export Settings and Configure Scheduled Report Settings, choose Remove Personal Information.
  • If SAML authentication is enabled in the product, enable multi-factor authentication in IdP for assisting single sign-on.
  • If you're using the Endpoint Central mobile app, it is recommended to:
    • Use HTTPS mode for communicating between mobile app and server for safe and secure communication.
    • Use the App Lock feature in mobile app under the mobile app settings page to ensure security.
    • Enforce Two Factor Authentication for additional security in web clients to safely log in to the mobile app.
  • Set the session timeout as minimum as possible
  • In the web console, click the user profile picture at the top right and click Personalize. Here, set a minimum possible period for Session Expiration.
  • Monitor the active sessions on the Endpoint Central web console and close the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not host the Distribution Server as an edge device.
    • not share the Endpoint Central agent registry and logs to anyone except Endpoint Central Support.
  • Store the HTTP Repository in a local computer or a secure Network Path.
  • Scan the files before uploading when creating a new software package.
  • While uploading a script in the Script Repository, ensure that the file is scanned for malicious content before uploading.
  • While resolving misconfigurations, read the post deployment issues, if any, to be aware of potential issues that may arise after altering existing configurations.

It is highly recommended for Endpoint Central users to follow the guidelines in this document. In particular, safeguarding the server by configuring the Security Settings. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.

Endpoint Central Cloud is an endpoint management tool that manages your devices running on different Operating Systems from a central location. In this document, we will provide you with some tips and tricks to harden your Endpoint Central Cloud security.

Best security practices

Endpoint Central Cloud immediately releases the security patches for identified security issues. Follow the Security Updates Group and the Security Updates on Vulnerabilities section in our Knowledge Base to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification by following the steps: Navigate to Admin tab > Click on Privacy Settings > Submit e-mail address in the data breach notification form to receive notifications on any security incident without delay.

Note: It is highly recommended to
1) Use proper firewall and Anti-virus software and keep them up-to-date to get accurate alarm.
2) Delete unused accounts: Admin > User Administration > Dissociate the unused user account.
3) Install distribution server in a dedicated machine with no other third party software in it. Only Authorized users should have access to this machine.
4) Enable Multi factor authentication: Go to the Admin tab > User Administration > Secure Authentication > Enable TFA.
5) Configure complex password policy: Go to the Admin tab > User Administration > Secure Authentication > Configure password policy.

Security Settings

To fortify the login access, go to the Admin tab, and click Security Settings.

Under Secure Login,

  • Restrict users from Uninstalling the Agent from Control Panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping Agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

Module-wise methodical steps to enhance security:

  • Provide the root access only to trusted technicians in Redhat nominated machines to avoid sending malicious content, instead of meta files.
  • Provide the root access only to trusted technicians in Linux agents to avoid sending malicious URLs, instead of package URLs.
  • Scan the uploaded files in the Upload Patch option for any malicious files.
  • Click user icon on the top right and click My Account.
  • To prevent account takeover, configure the account settings under My Account.
  • Under Security,
    • Change your account password regularly
    • Add a security question. You can use your secret answer to gain access to your account in case you forget your password.
    • Restrict access to your account by adding a range of trusted IP addresses.
    • Allow third-party applications like email clients, to access your account with unique application-specific passwords instead of your account password.
    • Check the list of devices that have signed in to your Zoho account.
  • Under Multi-Factor Authentication (MFA),
    • Choose any MFA mode to add an extra layer of protection.
  • Enrollment settings

    • For enrolling corporate-owned devices, use the following enrollment methods based on the supported platforms to ensure devices always remain under management even after being factory reset:
    • On corporate devices, the options to perform a factory reset and device wipe can also be restricted to prevent users from removing devices from management.
    • For Android devices, the Allow User to remove ME MDM App option should be disabled to restrict corporate devices that have not been enrolled using the above mentioned enrollment methods from being removed from management.
    • Enable the option to detect and remove jailbroken and rooted devices to ensure only compliant devices remain under management and access corporate data.
  •  
  • Device settings

    • Configure Device Privacy Settings to ensure only the details required by Endpoint Central for management and only the data permitted by the local and global compliance laws are stored on the server.
    • Configure the Terms of Use policies to be displayed to the device users and obtain their consent before collecting and storing device information on the Endpoint Central server to ensure user privacy.
  • Click System Manager Settings.
  • Under Permission Settings, enable the permission to access the end user's Command Prompt to only admins.
  • Under User Confirmation Settings, opposite to the Enable user confirmation for field, check the boxes for Command Prompt.
  • Now, in the Admin tab, choose Remote Control Settings under the Tools Settings. Here, scroll down and enable the Idle Session Settings. This allows the remote connection to either just disconnect or disconnect and lock the target computer automatically, when the connection is idle for a set period.
  • Choose Remote Control Settings under the Tools Settings in the Admin tab, and switch to the User Confirmation tab. Here, enable User Confirmation, set a time out period and provide a confirmation message. You can also Make User Confirmation Permanent. Click Save.
  • Note: After enabling the Make User Confirmation Permanent option, the confirmation dialog box will always be displayed and this cannot be reverted even by administrators.
  • Under SoM Settings, click Agent Settings. Here, enable the Restrict users from Uninstalling the Agent from Control Panel and the Restrict users from stopping Agent service options.
  • Under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
    Here, opposite to both Configure Export Settings and Configure Scheduled Report Settings, choose Remove Personal Information.
  • If SAML authentication is enabled in the product, enable multi-factor authentication in IdP for assisting single sign-on.
  • If you're using the Endpoint Central mobile app, it is recommended to:
    • Use the App Lock feature in mobile app under the mobile app settings page to ensure security.
  • Under Admin tab and go to User Administration, configure roles to prevent access to restricted modules.
  • Monitor the active sessions on the Endpoint Central web console and close the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not share the Endpoint Central agent registry and logs to anyone except Endpoint Central Support.
  • Store the HTTP Repository in a local computer or a secure Network Path.
  • Scan the files before uploading when creating a new software package.
  • While uploading a script in the Script Repository, ensure that the file is scanned for malicious content before uploading.
  • Do not share the following to anyone:
    • Image Creator Component binaries
    • The Bootable Media file
    • The Deployment Passcode (when configuring the Deployment Task)
    • The Image File
    • The User Profile Backup (USMT)
  • Place the Image and Driver repositories in a password-protected Network Share
  • Use either the MAC Address of the target computer(s) or the unique four digit passcode to initiate deployment. This avoids sharing admin credentials.
  • Scan the installation files for malicious content when the post deployment activity involves installing applications.
  • When adding a new user during the Deployment Template creation, enable Complex Password and associate the local users to their respective target computers.
  • Under Settings, configure the passcode policy with a passcode length of 6 characters and an alphanumeric passcode pattern. This passcode will be used in deployment task, instant task, and standalone task.
  • Enable passcode lockout policy that will lock users out of deployment after the specified number of invalid passcode attempts.

It is highly recommended for Endpoint Central users to follow the guidelines in this document. In particular, safeguarding the server by configuring the security settings. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.

 

Unified Endpoint Management and Security Solution