Limit global admin access to IP addresses

I first raised the issue (in July 2021 I believe) that applying this setting to non-global admin users was actually a fairly serious security hole, or perhaps to put it another way, it is a missed opportunity for greater security.

I was told (via FB or Reddit groups) that it was being developed.

Is it? If it is…when do we get it?

Cheers, Matt

Hi Matt,

This is something we are considering implementing, but do not have an ETA.

Are any other mitigation measures being implemented?

Not that I am aware of.

Just to be clear, in your original post you said “applying this setting to non-global admin users.” Did you mean to say global admins? Being able to limit access to certain IP addresses can only be applied to non-global admins. I take it you want to be able to do the same for global admins as well. But since global admins are the most powerful level who can access anything in the entire site, it sounds like you want an even higher level, some kind of super global admin, or something like that.

Hi Randy, sorry yes I didn’t word that too well.

What I’m saying, and what I said in July on FB, Syncro Support ticket and Reddit is:

Not applying IP restrictions to the most powerful user accounts (global admins) is completely upside-down. Those are the most dangerous accounts and the ones most in need of IP restriction.

Restricting access to non-admins is of far less value, because those users can only do a limited amount of damage.

There was a lot of agreement with this sentiment, especially in the wake of the Kaseya hack, and many of my fellow MSPs echoed my demand for restriction of admin accounts.

Personally I feel that favouring convenience over security is a very dangerous choice for Syncro, and I am very surprised and increasingly concerned that nothing is being done about this.

Reddit post regarding IP restriction of Global Admin accounts

1 Like

Cisa advises vendors / administrators to pretty much do what we’re asking.

1 Like

This is something that is being investigated internally. I don’t have any timelines or additional info beyond that at this time.

1 Like

I’m going to update my funeral plan to ensure that your oft-heard reply is chiselled onto my tombstone.

The Kaseya hack was 232 days ago. Lots of time for baddies to look at other RMM systems to break.
Lots of time for Syncro to implement what cannot be that hard, given that non-admin users can already by IP restricted.

1 Like

The issue could be that they don’t want to bother with additional support issues for locked accounts caused by IP change etc but locking IP access is MUST for any RMM

I just got my insurance increased because Syncro doesn’t lock access to global admin to specific IPs so be ready to spend more with Syncro

Yes I suspect that’s exactly why they don’t do it
Black Woman Reaction GIF by Robert E Blackmon

1 Like

My insurance is requiring us to do IP based restrictions now on an RMM tool. They understand you can’t for a global admin, however - I bet in the future, they won’t allow this and will demand we move. Syncro needs to support it - soon. E&O insurance providers are getting very picky about how we operate nowadays.

1 Like

This is a must, it just makes since