Security Best Practices for Management Console
Enable Two-Factor Authentication for Administrator Accounts
Two-Factor Authentication (2FA) adds a second layer of login security for the main administrator and sub-admin accounts. You can use Google Authenticator or Microsoft Authenticator with your iOS or Android mobile devices to require a second code to be entered when logging into Managed Backup.
To enable 2FA on the main administrator account:
- Log in to Management Console using the main administrator credentials.
- In the Users menu, select Administrators.
- FInd the main administrator, then click Edit.
- Click Enable 2FA, then download and run either the Google or Microsoft Authenticator apps on your mobile device.
- Click Add Account, then scan the QR on the Management Console screen.
- The account is now secured with 2FA.
To enable 2FA for sub-administrators, create a new account under Administrators, then lo onto sub-admin log onto Management Console, and navigate to the Administrators page, then and follow the same steps as for the main administrator.
Once completed, your admin accounts will be secured with 2FA access. If someone accidentally saves their credentials in a browser or a cybercriminal gains access to an administrator credentiasl, they will not be able to log onto Management Console without accessinng to administartor mobile device.
Use IAM Role Access to your AWS S3 Storage
When creating your AWS S3 Storage in Managed Backup, use Identity and Access Management (IAM) Roles instead of the classic Access / Secret Keys. IAM roles do not have associated access keys, so there are no credentials to steal. Instead, temporary access is granted so backup and restore plans can access S3 storage. Configuring your S3 accounts in Managed Backup with IAM Roles is detailed in this help article: https://mspbackups.com/Admin/Help/billing-storage/storage-providers/amazon/iam-role
Added Security with the Advanced Rebranding Option
Advanced Rebranding is more than simply selling Managed Backup under your own brand. The Advanced Rebranding feature also offers some additional security settings that restrict access and functionality in the deployed backup agents: You can disable your customers from accessing the installed Managed Backup agent by unchecking the Enable Backup Agent option in Rebranding – Options. This prevents any end-users from accessing the agent and making changes. If you leave the agent accessible, you can prevent someone manually deleting backed up files from the Storage tab by unchecking the Enable Ability to Delete Files from the Storage Tab option. If you want to restrict someone from changing backup or restore plans, you can uncheck either or both, Enable Backup Plan Edit and Enable Restore Plan Edit option. If you do not plan to allow remote access to the remote machine running the Managed Backup agent, then uncheck Allow Remote Access to Computer.
Create Unique User Accounts for Each Customer
User accounts are used to authenticate your customer’s computers with the Managed Backup service. It’s best to use one or more user accounts per customer. At a minimum, create a new user account for each customer. However, if the customer is large or if it contains different groups of computers (e.g. servers vs endpoints) or different internal departments (e.g. accounting vs HR) that need to be managed differently, consider creating a user account for each group. Remember, user accounts not only authenticate but are also used to assign storage and can be used to create deployments with specific rules. As always, these accounts should be secured with a strong, unique password (never share passwords between user accounts).
Use IP Allowlists to Allow Access only from Approved Network Locations
You can prevent access to the management console from computers that are not in an approved IP address range. To do this, go to Settings – IP Whitelisting and enable the option. Enter a set of IP addresses or IP address ranges and Save. Once enabled, if someone should try to access the management console from an unknown location, the connection will be rejected.