# Security Hardening Guidelines | ManageEngine Endpoint Central

![Fortify your Endpoint Central server](https://www.manageengine.com/products/desktop-central/images/security-recom-banner.png)

## Fortify your Endpoint Central server

## On-Premises

Endpoint Central is an endpoint management tool that manages your devices running on different Operating Systems from a central location. In this document, we will provide you with some tips and tricks to harden your Endpoint Central security.

### Security Best Practices

Endpoint Central immediately releases the security patches for identified security issues. Follow the [Security Updates Group](https://pitstop.manageengine.com/portal/en/community/desktop-central/vulnerability-notifications) and the **Security Updates on Vulnerabilities** section in our [Knowledge Base](https://www.manageengine.com/products/desktop-central/knowledge-base.html) to stay updated with the latest security patches. Furthermore, please subscribe to our [Data Breach Notification](https://www.manageengine.com/products/desktop-central/breach-notification.html) to receive notifications on any security incident without delay. You can also configure **Personalized Security Settings** to receive security recommendations from Endpoint Central.

**Note: It is highly recommended to**

1. Update your Endpoint Central server to the latest build.  
2. Avoid granting access to the ManageEngine folder for non-administrative group users.  
3. Use proper firewall and anti-virus software and keep them up-to-date to get accurate alarms.  
4. Delete unused accounts:  
   1. **From Endpoint Central**: Delete unused user accounts from the Endpoint Central server's product console and from the machine where the Endpoint Central server is installed.  
   2. **From MSSQL server**: If you have configured MSSQL, remove any unused account from the MSSQL server installed machines as well.  
5. Install the distribution server in a dedicated machine with no other third-party software. Only authorized users should have access to this machine.  
6. Configure an email address to receive security notifications from Endpoint Central.  

### Security Hardening Guidelines

Below are the security settings you can configure on the Endpoint Central console to stay secure.

## Security Settings

### Basic

- **Subscribe to security advisory in-product**  
  Configure an email address to receive security advisories from Endpoint Central.

- **Enable notification for security recommendations**  
  Get personalized Central server hardening recommendations via email.

- **Remove default admin account**  
  The default admin account should be removed after the first login.

- **Enable secure communication (HTTPS) for Central Server**  
  This setting will enforce your Endpoint Central Server to accept responses that are in HTTPS mode only.  
  **Note**: Disable the 8020 port in the firewall in your network.

- **Enforce two-factor authentication**  
  Have a second level of verification for technicians to ensure unauthorized access is prevented.

- **Restrict users from uninstalling the agent from control panel**  
  The agent monitors and executes the configurations and tasks deployed to a particular endpoint. It is necessary to forbid users from uninstalling the agent.

- **Restrict users from stopping agent service**  
  Preventing users from stopping the Agent service ensures that the endpoint stays in contact with the server every 90 minutes.

- **Enable secured communication (HTTPS) for LAN and WAN agents**  
  HTTPS protocol for both LAN and WAN agents ensures that communication between the agents and the server is always encrypted.

### Advanced

- **Use third-party SSL certificate**  
  Configure Endpoint Central with a trusted [third party certificate](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/importing_ssl_certificates.html) to ensure secured connections between endpoints and servers. A default certificate is provided along with the server for HTTPS communication.

- **Disable the older versions of TLS**  
  Use newer versions of TLS instead of older ones.  
  **Note**: Users cannot manage devices running on legacy OS platforms (Windows XP, Vista, Server 2003, and Server 2008) after disabling older versions of TLS.

- **Use Secure Gateway Server**  
  Host the Endpoint Central server in a corporate network protected by firewall restrictions and other security measures. If there are roaming users and remote offices, use the [Secure Gateway Server](https://www.manageengine.com/products/desktop-central/secure-communication-of-mobile-users-using-forwarding-server.html). It acts as a reverse proxy between WAN agents and the Endpoint Central server and eliminates the need to host the server as an EDGE device.

- **Enable agent-server trusted communication**  
  Secure communication between the Central server and agents by enforcing identity verification during HTTPS communication. This can be enabled only after importing a third-party certificate. [Learn more](https://www.manageengine.com/products/desktop-central/steps-to-enable-trusted-communication.html).

- **Enable certificate-based authentication for agent-server communication**  
  Enable client certificate authentication to validate agent authenticity. Ensure agents are updated before enabling this feature. [Learn more](https://www.manageengine.com/products/desktop-central/client-certificate-authentication.html).

- **Secure your database backup**  
  Encrypt scheduled database backups with a password.

- **Secure software repository (Local network share)**  
  The [local network share](https://www.manageengine.com/products/desktop-central/help/configuring_desktop_central/edit_network_shared_path.html) contains software installation files. Use access credentials to grant authorized access only.

## Module-wise methodical steps to enhance security

### Patch Management

- Provide root access only to trusted technicians in Redhat machines to avoid sending malicious content instead of meta files.  
- Provide root access only to trusted technicians in Linux agents to avoid sending malicious URLs instead of package URLs.  
- Scan uploaded files in the Upload Patch option for malicious files.  

### OS Deployment

- Do not share:
  - Image Creator Component binaries  
  - Bootable Media file  
  - Deployment Passcode  
  - Image File  
  - User Profile Backup (USMT)  
- Place Image and Driver repositories in a password-protected Network Share.  
- Use MAC address or a unique four-digit passcode to initiate deployment.  
- Scan installation files for malicious content during post-deployment application installations.  
- Enable complex passwords when adding new users during Deployment Template creation.  
- Configure passcode policy with a minimum length of 6 characters and an alphanumeric pattern.  
- Enable passcode lockout policy after invalid attempts.  

### Mobile Device Management

#### Enrollment settings

- Use the following enrollment methods:
  - [Apple Business Manager](https://www.manageengine.com/mobile-device-management/help/enrollment/apple_business_manager_enrollment.html) for iOS, macOS, and tvOS  
  - [Samsung Knox Mobile Enrollment](https://www.manageengine.com/mobile-device-management/help/enrollment/knox_mobile_device_management.html) for Samsung devices  
  - [Zero Touch Enrollment](https://www.manageengine.com/mobile-device-management/help/enrollment/android_zero_touch_enrollment.html) for non-Samsung devices  
- Restrict factory reset and device wipe options.  
- Disable [Allow User to remove ME MDM App](https://www.manageengine.com/mobile-device-management/help/enrollment/customize_me_mdm_app.html#Allowing_user_to_remove_ME_MDM_App).  
- Enable detection and removal of [jailbroken and rooted devices](https://www.manageengine.com/mobile-device-management/help/enrollment/customize_me_mdm_app.html).  

#### Inventory settings

- Schedule regular [device scans](https://www.manageengine.com/mobile-device-management/help/asset_management/mdm_scan_devices.html).

#### Device settings

- Configure [Device Privacy Settings](https://www.manageengine.com/mobile-device-management/help/configuring_mobile_device_manager/mdm_device_privacy_settings.html).  
- Configure [Terms of Use policies](https://www.manageengine.com/mobile-device-management/help/configuring_mobile_device_manager/mdm_device_privacy_settings.html).  

### Tools

- Switch communication to HTTPS under Port Settings.  
- Restrict File Manager and Command Prompt access to admins.  
- Enable User Confirmation for File Manager and Command Prompt.  
- Enable Idle Session Settings in Remote Control.  
- Enable User Confirmation with timeout and optional permanent confirmation.  

**Note**: Permanent confirmation cannot be reverted.

### General

- Schedule daily database backups and secure them with a password.  
- Enable restrictions on uninstalling or stopping the agent.  
- Configure Export Settings to **Remove Personal Information**.  
- Enable multi-factor authentication in IdP if SAML is enabled.  
- If using the Endpoint Central mobile app:
  - Use HTTPS mode.  
  - Enable App Lock.  
  - Enforce Two-Factor Authentication.  

### Miscellaneous

- Set minimal session timeout.  
- Monitor and close stale sessions.  
- Change technician passwords every 90 days.  
- Do not host Distribution Server as an edge device.  
- Do not share agent registry and logs except with Endpoint Central Support.  

### Software Deployment

- Store HTTP Repository securely.  
- Scan files before uploading new software packages.  

### Configuration

- Scan scripts for malicious content before uploading to Script Repository.  

### Vulnerability Management

- Review post-deployment issues before resolving misconfigurations.  

It is highly recommended for Endpoint Central users to follow these guidelines, especially safeguarding the server by configuring the Security Settings. This is a quick and effective defense against cyber threats.

---

## Cloud

Endpoint Central Cloud is an endpoint management tool that manages devices running on different Operating Systems from a central location. Below are tips to harden Endpoint Central Cloud security.

### Best security practices

Follow the [Security Updates Group](https://pitstop.manageengine.com/portal/en/community/desktop-central/vulnerability-notifications) and the **Security Updates on Vulnerabilities** section in our [Knowledge Base](https://www.manageengine.com/products/desktop-central/knowledge-base.html) to stay updated. Subscribe to **Data Breach Notification** via:

**Admin tab → Privacy Settings → Submit email address**

**Note: It is highly recommended to**

1. Use updated firewall and anti-virus software.  
2. Delete unused accounts (Admin → User Administration).  
3. Install distribution server on a dedicated machine.  
4. Enable Multi-Factor Authentication (Admin → User Administration → Secure Authentication).  
5. Configure complex password policy.  

## Security Settings

To fortify login access, go to **Admin → Security Settings under Security and Privacy**.

### Under Secure Login

- **Restrict users from uninstalling the Agent from Control Panel**  
- **Restrict users from stopping Agent service**

## Module-wise methodical steps to enhance security

### Account Settings

- Click user icon → **My Account**.  
- Configure account settings:
  - Change password regularly.  
  - Add security question.  
  - Restrict access using trusted IP addresses.  
  - Use application-specific passwords.  
  - Review signed-in devices.  
- Enable Multi-Factor Authentication (MFA).  

### Mobile Device Management

Use:

- [Apple Business Manager](https://www.manageengine.com/mobile-device-management/help/enrollment/apple_business_manager_enrollment.html)  
- [Samsung Knox Mobile Enrollment](https://www.manageengine.com/mobile-device-management/help/enrollment/knox_mobile_device_management.html)  
- [Zero Touch Enrollment](https://www.manageengine.com/mobile-device-management/help/enrollment/android_zero_touch_enrollment.html)  

Disable [Allow User to remove ME MDM App](https://www.manageengine.com/mobile-device-management/help/enrollment/customize_me_mdm_app.html#Allowing_user_to_remove_ME_MDM_App) and enable detection of [jailbroken and rooted devices](https://www.manageengine.com/mobile-device-management/help/enrollment/customize_me_mdm_app.html).

### Tools

- Restrict Command Prompt access to admins.  
- Enable User Confirmation.  
- Enable Idle Session Settings in Remote Control.  

### General

- Enable restrictions on agent uninstall and service stop.  
- Configure Export Settings to remove personal information.  
- Enable MFA in IdP if SAML is used.  
- Enable App Lock in mobile app.  

### Miscellaneous

- Configure role-based access control.  
- Monitor and close stale sessions.  
- Change technician passwords every 90 days.  
- Do not share agent registry and logs except with support.  

### Software Deployment

- Store HTTP Repository securely.  
- Scan files before uploading.  

### Configuration

- Scan scripts before uploading.  

### OS Deployment

- Do not share Image Creator binaries, Bootable Media, Deployment Passcode, Image File, or USMT backups.  
- Use MAC address or passcode for deployment.  
- Configure complex passcode policies and lockout policies.  

It is highly recommended for Endpoint Central Cloud users to follow these guidelines and configure security settings to defend effectively against cyber threats.