Limit global admin access to IP addresses

I first raised the issue (in July 2021 I believe) that applying this setting to non-global admin users was actually a fairly serious security hole, or perhaps to put it another way, it is a missed opportunity for greater security.

I was told (via FB or Reddit groups) that it was being developed.

Is it? If it is…when do we get it?

Cheers, Matt

6 Likes

Hi Matt,

This is something we are considering implementing, but do not have an ETA.

Are any other mitigation measures being implemented?

Not that I am aware of.

Just to be clear, in your original post you said “applying this setting to non-global admin users.” Did you mean to say global admins? Being able to limit access to certain IP addresses can only be applied to non-global admins. I take it you want to be able to do the same for global admins as well. But since global admins are the most powerful level who can access anything in the entire site, it sounds like you want an even higher level, some kind of super global admin, or something like that.

Hi Randy, sorry yes I didn’t word that too well.

What I’m saying, and what I said in July on FB, Syncro Support ticket and Reddit is:

Not applying IP restrictions to the most powerful user accounts (global admins) is completely upside-down. Those are the most dangerous accounts and the ones most in need of IP restriction.

Restricting access to non-admins is of far less value, because those users can only do a limited amount of damage.

There was a lot of agreement with this sentiment, especially in the wake of the Kaseya hack, and many of my fellow MSPs echoed my demand for restriction of admin accounts.

Personally I feel that favouring convenience over security is a very dangerous choice for Syncro, and I am very surprised and increasingly concerned that nothing is being done about this.

3 Likes

Reddit post regarding IP restriction of Global Admin accounts

1 Like

Cisa advises vendors / administrators to pretty much do what we’re asking.

1 Like

This is something that is being investigated internally. I don’t have any timelines or additional info beyond that at this time.

2 Likes

I’m going to update my funeral plan to ensure that your oft-heard reply is chiselled onto my tombstone.

The Kaseya hack was 232 days ago. Lots of time for baddies to look at other RMM systems to break.
Lots of time for Syncro to implement what cannot be that hard, given that non-admin users can already by IP restricted.

2 Likes

The issue could be that they don’t want to bother with additional support issues for locked accounts caused by IP change etc but locking IP access is MUST for any RMM

I just got my insurance increased because Syncro doesn’t lock access to global admin to specific IPs so be ready to spend more with Syncro

Yes I suspect that’s exactly why they don’t do it
Black Woman Reaction GIF by Robert E Blackmon

2 Likes

My insurance is requiring us to do IP based restrictions now on an RMM tool. They understand you can’t for a global admin, however - I bet in the future, they won’t allow this and will demand we move. Syncro needs to support it - soon. E&O insurance providers are getting very picky about how we operate nowadays.

1 Like

This is a must, it just makes since

1 Like

Totally agree with all comments here, insurance is asking us to lock down RMM access by IP for all accounts. This needs to be implemented ASAP!!!

2 Likes

coupled with the situation that evidence that scripts ran on assets is removed from the database when a script is deleted…not being able to lock down the Global Admin by IP address is particularly urgent to resolve.

If Syncro devs worked on nothing else other than a feature to restrict Global Admin access by IP addresses, I would be happy.

1 Like

Ian Alexander mentioned this issue specifically on the webinar last week and how it’s important to them to release the feature. No timeline given though.

1 Like

@ian.alexander was dismissive on the SSO topic. I think it was the most foolish thing I heard from the presentation. They really need to go back and re-think this. AAD SSO brings Conditional access which will give us better control over which machines connect to Syncro. Including things like IP address restrictions, only allowing AAD enrolled machine access and ensuring access is only allowed by encrypted compliant workstations.

3 Likes

If a non-global admin can be restricted, I am sure the level of dev work to enable the same for global admin will not be much; of course, you will field more support tickets with careless customers getting their global account locked out. For that, I suggest an unlocking mechanism similar to what most password managers use, or create an ‘access manager’ role account. This account should not be IP restricted but be protected with multilevel identity verifications like a complex unlock key, secret question/answer challenges, and email verification, and this account should have no other privilege than to unrestrict/unlock an existing global account. Even then, you will get support tickets from users locking themselves out. For that charge, an Account Unlock Service Fee!

1 Like

This is in line with my thinking. Warn customers very clearly about locking themselves out, then charge them to unlock.
I’m sure 99% of Syncro customers have multiple fixed IP sources they can use to maintain access.

image001915.png

image432215.png

image204067.png

image613194.png