Security Best Practices for Management Console
- Enable two-factor authentication for administrator accounts
- Use IAM role access to AWS S3 storage
- Create unique user accounts for each customer
- Use IP allowlists to allow access only from approved network locations
- Enable Object Lock (Immutability)
Enable Two-Factor Authentication for Administrator Accounts
The Two-Factor Authentication (2FA) adds a second layer of login security for the main administrator and sub-admin accounts. You can use Google Authenticator or Microsoft Authenticator with your iOS or Android mobile devices to require a second code to be entered when logging into Managed Backup.
To enable 2FA on the main Administrator account, proceed as follows:
- Open the Management Console and log into it under the main administrator credentials.
- In the Users menu, select Administrators, and click the Edit button next to the main administrator account.
- Select the Enable Two-Factor Authentication (2FA) check box.
- Follow the instructions stated in the Enable Two-Factor Authentication dialog box (download and run the MSP360 application or selected third-party authenticator on your mobile device, and scan the QR code in the dialog box to add an account. Enter the 2FA verification code to validate).
- The administrator account is now secured with 2FA access. If you intend to force all your administrators to use 2FA, select the Force 2FA for all adiminstrators check box as well.
After 2FA is enabled, generate alternative codes that can be used to access the Management Console in case of emergency: for instance, if you accidentally remove yourself from the IP Allowlist. To do this:
- Click the 2FA Alternative Codes link.
- Click Generate New Codes. Once codes are generated, download or print them. These codes can be used for authentication within the Console, so, for security reasons, keep them in a safe place.
To enable 2FA on a sub-administrator, proceed as follows:
- Create a new account account under Administrators.
- Log into Management Console under the new credentials.
- Upon the first login, click the Enable Two-Factor Authentication*, then follow the instructions stated in the Enable Two-Factor Authentication dialog box (download and run the MSP360 application or selected third-party authenticator on your mobile device, and scan the QR code in the dialog box to add an account. Enter the 2FA verification code to validate).
You can also force 2FA to be switched on for all your sub-administrators. To do this, proceed as follows:
- Log into Management Console under the root account.
- In the Settings menu, select General.
- Select the Force Two-Factor Authentication for all administrators check box.
- Click Save.
Once complete, your admin accounts will be secured with 2FA access. If someone accidentally saved their username and password in a browser or someone gained access to an admin password, they will not be able to log into Managed Backup without access to the administrator's mobile device.
| Top |
Use IAM Role Access to your AWS S3 Storage
When creating your AWS S3 Storage in Managed Backup, use Identity and Access Management (IAM) Roles instead of the classic Access / Secret Keys. IAM roles do not have associated access keys, so there are no credentials to steal. Instead, temporary access is granted so backup and restore plans can access S3 storage. Configuring your S3 accounts in Managed Backup with IAM Roles is detailed in this help article: https://mspbackups.com/Admin/Help/billing-storage/storage-providers/amazon/iam-role
| Top |
Create Unique User Accounts for Each Customer
User accounts are used to authenticate your customer’s computers with the Managed Backup service. It’s best to use one or more user accounts per customer. At a minimum, create a new user account for each customer. However, if the customer is large or if it contains different groups of computers (e.g. servers vs endpoints) or different internal departments (e.g. accounting vs HR) that need to be managed differently, consider creating a user account for each group. Keep in mind that user accounts are not only for authentication purposes but are also used to assign storage and can be used to create deployments with specific rules. As always, these accounts should be secured with a strong, unique password (never share passwords between user accounts).
| Top |
Use IP Allowlists to Allow Access only from Approved Network Locations
You can prevent access to the Management Console from computers that are not in an approved (or known) IP address range. To do this, proceed as follows:
- In the Settings menu, select IP Allowlisting.
- Click Add New.
- Specify the name for the IP address range and the range itself.
- Click Save.
- Enable the IP allowlisting with the slider to the top of the pane.
- Click Save.
Once IP allowlisting is enabled, connections will be rejected if executed from IP addresses not present in the IP allowlisting. Refer to IP Address Allowlist for details
| Top |
Enable Object Lock (Immutability)
Object Lock (Immutability) is currently the highest level of backup protection possible. Immutable backups are not prone to ransomware, unattended access, or human factors. Even if you lose all your data, an immutable backup will help you to rebuild everything from scratch, using clean, uncorrupted data.
In MSP360 Managed Backup, Object Lock (Immutability) is supported for Amazon S3 and Wasabi storage providers. To create an immutable backup in MP360 Managed Backup with AWS or Wasabi, proceed to the Storage / Storage Accounts section, choose an account, and click the gear icon. Here, you can add a new bucket with Object Lock (immutability) enabled or edit an existing bucket. To create an immutable backup, create a backup plan, reach the Retention Policy step, switch on the GFS feature, and specify periods of retention for daily/weekly/yearly backups, click Enable Object Lock (Immutability) and confirm that you want to make backups unchangeable.
Read more about this feature in the Object Lock (Immutability) chapter
| Top |