Security Best Practices for Kaseya VSA

With all things in our industry, we must lead with security in mind and your RMM is no different and arguably even more important to ensure strong security practices are followed. The attempts by bad actors have increased significantly in the last few years and show no signs of slowing, made worse by the feeling that they are always one step ahead of us and our available tools. Let’s discuss how to aid in keeping your Kaseya VSA instance safe from them.

Firewall

  • For on-premises environments, one of the most effective methods of security is to restrict access to your VSA server/web interface to only your internal network, with the exception of port 5721. By blocking the interface, you greatly reduce the attack vector introduced by the login screen. Port 5721, or whichever port you have configured, needs to remain open for agents to communicate with the server. Utilize a VPN for remote users to access VSA or whitelist their IPs as needed.
  • There is currently no option for this in Kaseya’s hosted environments.

Principle of Least Privilege

  • The principle of least privilege is the concept by which users are restricted to only the areas that they need to perform their job duties. In Kaseya VSA, this can be accomplished using Roles and Scopes. Roles, control what Modules and Functions your users have access to while Scopes, control what Organizations, Machine Groups, and Machines your users have access to. We recommend creating a basic Role that provides technicians access to the Modules and Functions to perform basic helpdesk functions and building additional Roles as they are needed within your environment. It is important to remember, when creating a Role, to provide only the permissions you think the users might need. Be conservative with the permissions you are providing as you can always add additional permissions as needed and when adding permissions to a Role, be sure you are not adding them for one user. If not all users of a Role need the extra permissions, create another role to encompass what those users need.
  • We have provided a document that includes what we feel is a great starting point for a basic technician role: Basic VSA Technician Role

Server/Host App and SQL Patching

  • Keeping the operating systems of both the Application and SQL, and any associated hosts, up to date will ensure you have the latest security updates and assist in further deterrent of possible compromises.

FireEye Endpoint Security

  • FireEye Endpoint Security is available to all on-premises environments, at no cost, to assist in further protecting your VSA server. Reach out to your account manager for more details or to start the process of acquiring the agent.

VSA Patching

  • Like regularly updating your server, VSA application updates should be done regularly to ensure you have the latest features and security patches from Kaseya.

Multi-Factor Authentication

  • MFA has been made mandatory by Kaseya and for good reason. You can use any token vault that you have access to such as ITGlue, Authy, or Microsoft Authenticator.

Strong Passwords

  • VSA requires a minimum of 16-character passwords but can be increased if you prefer. We recommend using a password management tool to generate and save strong passwords. A password management tool encourages users to utilize randomized passwords, as the tool removes the need to memorize it, and has the added benefit of reducing the number of accounts using a single password. A few password management tools you can utilize are ITGlue, LastPass, and PassPortal.

Password Failure Lockout Attempts and Time

  • You can set the number of failed login attempts prior to an account being locked out as well as how long the lockout persists. We recommend 5 attempts as the maximum and 1 hour as the minimum.

Remove/Disable User Accounts Prior-to or Immediately after Departure from the Company

  • Be sure not to leave yourself vulnerable by neglecting to remove, disable, or otherwise secure an account of a previous employee. It is easier to forget to secure the account of an employee who left on great terms than an employee who was terminated but that account could become the gateway of nefarious activity.

Regularly review users and their assigned Roles/Scopes

  • In addition to removing user accounts that are no longer needed it is important to regularly review your users to verify they have the expected permissions

We hope that this list has provided worthwhile insights to helping you with securing your Kaseya VSA and we are always here to help with your VSA needs.

Tobin Carpenter

Tobin Carpenter

Tobin got his start in the IT industry right out of high school by working at his local tech school. After that Tobin worked for several break/fix companies before starting his journey into the MSP industry in 2007. Tobin came to ProVal in 2021 and began sharing his knowledge and experience with ProVal Tech's partners

Categories

Get in touch today for MSP NOC Services!
Contact Us

ProVal Technologies, Inc

498 Palm Springs Drive, Ste. 130
Altamonte Springs, FL 32701
United States
Phone: 407-588-0101

Facebook Twitter Instagram Linkedin Youtube
SOC 2 Certified Logo
Form CTA

©2023 ProVal Technologies, Inc All Rights Reserved.

Privacy Policy Disclaimer

Security Best Practices for Kaseya VSA

VSA Best Security Pratices Blog Photo

I truly view ProVal as a partner and extension of my team, not as one of my vendors

When our NOC Manager left last fall we wanted to replace the position with an outsourced NOC to reduce headcount, and bring in an expert to both Labtech and our backup solutions. Bringing in ProVal Technologies was one of the best decisions we made last year and has paid for itself.During our first few monthly recurring Labtech admin meetings the ProVal team discovered incorrect settings and policies that were not applying correctly in our Labtech server. Things that we thought were automated and working were not. For example, there were multiple scripts and policies running but set to do nothing such as disk cleanup scripts. Cisco Umbrella was not configured correctly. Server alerting was not set right and the list went on.The backup team sends daily and weekly reports and updates that reduce my technicians time that we used to spend on backup or antivirus tickets that took forever and were tedious.ProVal also brings in great insights to our business and really cares about our success. They will frequently mention to me in meetings what new scripts they can import to make us more efficient or will schedule upgrades to our backups, Labtech, etc so I don’t have to worry. I truly view ProVal as a partner and extension of my team not as one of my vendors.

Chris-Warnick-Headshot
Chris Warnick
Vision Computer Solutions
Northville, MI

They will quickly become an extension of your team and your ROI will reflect the results

We have been a long time user of Labtech and had tried for many years to manage the product internally with no real success at the level we needed to make our solutions more efficient for our customers. Once we hired Vikram and his team at ProVal, it solved all our pain points with the product and we really felt like we were leveraging the tool as it was designed. If this sounds like you and it’s keeping you up at night, then you need these guys. They will quickly become an extension of your team and your ROI will reflect the results.

Bryan-Wolff-Headshot
Bryan Wolff
CEO, Wolff Logics LT Managed & Admin Services
Cedar Park, Texas

They work well, fast and on budget

We met Vikram from ProVal Tech at Gary Pica’s Shnizzfest a year ago. Vikram explained the advantage of having trained, certified personnel take care of our recent Automate implementation. Even though we had taken an implementation package from ConnectWise to start up the program, we felt many custom configurations we needed for our business were lacking. We hired ProVal Tech after Automate was installed to help us with this task. From sales to technicians everyone was professional and knowledgeable. Onboarding was simple, and well documented. Tools on the web were supplied while we did the work, and they allowed us to track what was done, and see the improvements in the environment. It was easy to reach any of the team members, for any concern or question – all answered with courtesy and smile. Once the work was finished, we were given some training and explanations, add to that documentation, about the work and the scripts and features added to the program. We have been happily working with Automate since then. We can only recommend this efficient team of people for any work into Automate: they work well, fast and on budget.

Ben-Prevost-Headshot
Ben Prevost
FarWeb IT
Sherbrooke, Canada