Limit global admin access to IP addresses

This is a must. Also need due to insurance requirements.

How much damage is this thread going to do, when a Kaseya-esque compromise occurs, and it becomes obvious that IP restrictions would have protected everyone against the attack?

Could we have an update on this feature request. Please show us on the dev roadmap when and where you will implementing this. Thank you.

Implementing SSO with Office 365 Azure AD would kill two birds with one stone. I would argue it would also provide a higher level of security than what Syncro will possibly create. The security controls in Office 365 Defender for Identity are impressive.

I recognise the benefits of SSO to AAD, but one of the merits of an RMM outside of Microsoft’s infrastructure is isolation from any issues that MS may be experiencing. There would need to be some fallback to an independent authentication mechanism in the event that SSO fails?

This is all

This I would expect would be considered in the design.
My PCs are all AzureAD joined.
We know that with this configuration, if there is no connection to Microsofts infrastructure (such as during internet connection failure) I still have login capability to my PC and also to the local LAN.

Still no update? I agree this should be top priority for Syncro!

Yes I think this is very important for security, with the amount of access an Admin account has.

This is vital! RMM solutions are high-value attack surfaces and security must be a top priority for Syncro. The lack of any response at all from Syncro in this thread is downright concerning.

Agree, I deal with Credit Unions and other financial institutions, this is a critical request for them.

It’s meh. I don’t think they give a cr4p.

The problem with ip blocking is the fact it can still be work around. Either faking the IP and or a virus on the network. I dont think IP blocking is the answer for say - but some type of 2FA would be better.

Ian has talked about this kind of thing a few times. They need to complete their migration to AWS, then they can address these security issues. We will see how high the priority actually is once they compete the migration.

IP restriction remains an extremely effective and valuable piece of security in depth. IP spoofing is a true edge case (it’s far from trivial over the public Internet). IP filters are the bread and butter of every firewall, ever. IP restriction should be implemented along with 2FA and other machanisms as part of a good defence package.

A great many of us are very tired of the dismissive words on this subject. After nearly two years since I started talking about this, I have received zero roadmap commitment on this subject and it’s simply not good enough. When are you doing it Syncro?

I guess because I write code all day… it just seems quote on “simple” quote off to get into systems even if they are IP blocking once you are in… you can just hide out and send stuff over their IP. 2FA and other methods simply make it impossible to get into a system without knowing more information.

Not saying its not needed - I understand it lowers the attack surface. Just that there might be better ways to attack it they don’t support yet.

If ISPs are compliant with RFC 2827 then IP spoofing will be blocked.
Information on BCP 38 » RFC Editor (rfc-editor.org)
There is also a lot of work that goes in behind the scene to protect routing on the internet which will also block IP spoofing.
Lesson Learned: Twitter Shored Up Its Routing Security - MANRS
and
Anti-Spoofing - MANRS

Ultimately we cannot assume that 24x7 all ISP globally are employing IP Traceback.
Security should always be approached with a layered defense mindset.
So if SyncroMSP does its bit, and implements IP address features to limit global admin, we then have an additional layer.

Another aspect to this is if I was able to lock down my SyncroMSP Account to 1 or 2 IP addresses, then for the hackers to successfully gain access by IP address spoofing (assuming the ISPs were failing to be compliant), the hackers would need to know my exact source IP addresses that I use to access SyncroMSP.

But given SyncroMSPs utter silence on this topic we can only assume that this comment by @mattd is an accurate description.

Our insurance is now demanding this. We need an update, or will be forced to switch providers.

Our is headed this way too upon our next renewal in about 7 months. Time is ticking on our search for alternatives.

This is an absolute MUST. We need IP address restrictions for all accounts.