Fortify your Remote Access Plus server

Fortify your ManageEngine Remote Access Plus server
Home »

On-Premises

Cloud

Remote Access Plus is a remote desktop administration solution that can remotely control endpoints. In this document, we will provide you with some tips and tricks to harden your Remote Access Plus security.

Best security practices

Remote Access Plus immediately releases the security patches for identified security issues. Follow this Knowledge Base page to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification to receive notifications on any security incident without delay.

Note: It is highly recommended to
1) Update your Remote Access Plus server to the latest build.
2) Grant access to the Remote Access Plus folder only to authorized users.

Secure the access to Remote Access Plus server

Securing the login access to the Remote Access Plus server, can prevent security issues involving roles and permissions.

Security Settings

To fortify the login access, go to the Admin tab, and click Security Settings.

Under Secure Login,

  • Remove default admin account

    The default admin account should be removed after the first login.

  • Enable Secure Login (HTTPS).

    All communication between the Remote Access Plus server and the agents will take place using the HTTPS protocol after enabling this option.
    Note: In addition, disable the 7020 port in firewall in your network

  • Use Third Party SSL Certificate

    It is recommended to configure Remote Access Plus with a trusted third party certificate to ensure secured connections between the agents and the server.

  • Enforce Two Factor Authentication

    Having a second level of verification for technicians ensures that unauthorized access is prevented.

  • Set Complex Password

    Setting a complex password policy allows users to configure unique passwords that are tough to crack. The more complex a password policy is, the more combinations there will be.

  • Restrict users from Uninstalling the Agent from Control Panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping the Agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

Under Secure agent server communication,

  • Enable Secured Agent-Server Communication (HTTPS)

    HTTPS protocol for both LAN and WAN agents ensures that the communication between the agents and the server is always encrypted.

  • Secure Remote Control and File Transfer operations

    Enable this option to secure the communication during Remote Control sessions and File Transfer operations.

  • Disable the older versions of TLS

    For improved security, it is recommended to use the newest version of TLS, instead of the older ones.
    Note    : Users cannot manage devices running on legacy OS platforms (Windows XP, Vista, Server 2003 and Server 2008) after disabling the older version of TLS.

Module-wise methodical steps to enhance security

Tools

General

Miscellaneous

Mobile App

  • Go to the Admin tab, under Tools Settings,
    click Port Settings and switch the Communication to HTTPS. Click Save.
  • click System Manager Settings.
  • Under Permission Settings, enable the permission to access the end user's File Manager and Command Prompt to only admins.
  • Under User Confirmation Settings, opposite to the Enable user confirmation for field, check the boxes for File Manager and Command Prompt.
  • Now, in the Admin tab, choose Remote Control Settings under the Tools Settings. Here, scroll down and enable the Idle Session Settings. This allows the remote connection to either just disconnect or disconnect and lock the target computer automatically, when the connection is idle for a set period.
  • Choose Remote Control Settings under the Tools Settings in the Admin tab, and switch to the User Confirmation tab. Here, enable User Confirmation, set a time out period and provide a confirmation message. You can also Make User Confirmation Permanent. Click Save.
  • Note: After enabling the Make User Confirmation Permanent option, the confirmation dialog box will always be displayed and this cannot be reverted even by administrators.
  • Go to the Admin tab, under Database Settings, click Database Backup. Here, schedule a time at which the database should back up every day. You can also set the number of backups to be stored, beyond which the backups will be deleted automatically. It is highly recommended to receive notifications about the database backup failure. Furthermore, secure the database backup using a password.
  • Go to the Admin tab, under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
    Here, opposite to Configure Export Settings, choose Remove Personal Information.
  • Go to the Admin tab and under User Administration, define and configure roles for users so that access is only granted to handle selected modules.
  • Monitor the active sessions on the Remote Access Plus web console and logout of the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not share the Remote Access Plus agent registry and logs to anyone except Remote Access Plus Support.
  • If you are using the Remote Access Plus mobile app, please follow these guidelines:
  • Use HTTPS mode for the communication between mobile app and the server.
  • Enforce Two Factor Authentication in the Remote Access Plus web console to ensure safe login to the mobile app.
  • Go to the Settings page in the Remote Access Plus mobile app and enable the Applock feature.

It is highly recommended for Remote Access Plus users to follow the guidelines in this document. In particular, the Security Settings. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.

Remote Access Plus Cloud is a remote desktop administration solution that can remotely control endpoints. In this document, we will provide you with some tips and tricks to harden your Remote Access Plus Cloud security.

Best security practices

Remote Access Plus CLoud immediately releases the security patches for identified security issues. Follow this Knowledge Base page to stay updated with the latest security patches. Furthermore, please subscribe to our Data Breach Notification by following these steps: Navigate to the Admin tab-> Click Privacy Settings-> Submit your email address in the data breach notification form to receive notifications on any security incident without delay.

Note: It is highly recommended to:
1) Use sound firewall protection and antivirus software and keep them up-to-date to receive timely notifications/alarms.
2) Delete unused accounts: Go to the Admin tab -> User Adminstration -> Delete the unused user account.
3) Install distribution server in a separate machine with no other third part software installed in it. Only authorized users must have access to this machine.
4) Enable Multi-Factor Authentication: Go to the Admin tab -> User Administration -> Secure Authentication -> Enable TFA.
5) Configure complex password policy: Go to the Admin tab -> User Administration -> Secure Authentication -> Configure Password Policy.

Security Settings

To fortify the login access, go to the Admin tab, and click Security Settings.

Under Secure Login,

  • Restrict users from Uninstalling the Agent from Control Panel

    The agent monitors and executes the configurations and tasks deployed to a particular endpoint. That's why it is necessary to forbid users from uninstalling the agent.

  • Restrict users from stopping the Agent service

    Preventing the users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

Module-wise methodical steps to enhance security

Account Settings

Tools

General

Miscellaneous

Mobile App

  • Click the user icon at the top right and click on My Account.
  • To prevent account takeover, configure the account settings by clicking on the user icon on the top right corner and click on My Account,
  • Under Security,
    • Change your account password regularly
    • Add a security question. You can use your secret answer to gain access to your account in case you forget your password.
    • Restrict access to your account by adding a range of trusted IP addresses.
    • Allow third-party applications like email clients, to access your account with unique application-specific passwords instead of using your account password.
    • Checkout the list of devices that have signed in to your Zoho account.
  • Under Multi-Factor Authentication (MFA), choose any MFA mode to add an extra layer of protection.
    • Choose any MFA mode to add an extra layer of security to your account
  • click System Manager Settings.
  • Under Permission Settings, enable the permission to access the end user's Command Prompt to only admins.
  • Under User Confirmation Settings, opposite to the Enable user confirmation for field, check the boxes for Command Prompt.
  • Now, in the Admin tab, choose Remote Control Settings under the Tools Settings. Here, scroll down and enable the Idle Session Settings. This allows the remote connection to either just disconnect or disconnect and lock the target computer automatically, when the connection is idle for a set period.
  • Choose Remote Control Settings under the Tools Settings in the Admin tab, and switch to the User Confirmation tab. Here, enable User Confirmation, set a time out period and provide a confirmation message. You can also Make User Confirmation Permanent. Click Save.
  • Note: After enabling the Make User Confirmation Permanent option, the confirmation dialog box will always be displayed and this cannot be reverted even by administrators.
  • Go to the Admin tab, under Security Settings, click Export Settings. While exporting any reports, you can:
    • Mask the personal Information
    • Remove personal Information
    • Retain Personal Information
    • Let the Technician Decide
  • Here, opposite to Configure Export Settings, choose Remove Personal Information.
  • Go to the Admin tab and under User Administration, configure the roles to prevent access to restricted modules.
  • Monitor the active sessions on the Remote Access Plus web console and logout of the stale sessions.
  • It is highly recommended to
    • change the passwords of all the technicians every 90 days.
    • not share the Remote Access Plus agent registry and logs to anyone except Remote Access Plus Support.
  • Go to the Settings page in the Remote Access Plus mobile app and enable the Applock feature.

It is highly recommended for Remote Access Plus users to follow the guidelines in this document. This proves to be a quick and effective move against cyber threats. Moreover, the steps provided for every module will help strengthen the security even further.