Security Best Practices for Kaseya VSA

Security Best Practices for Kaseya VSA

With all things in our industry, we must lead with security in mind and your RMM is no different and arguably even more important to ensure strong security practices are followed. The attempts by bad actors have increased significantly in the last few years and show no signs of slowing, made worse by the feeling that they are always one step ahead of us and our available tools. Let’s discuss how to aid in keeping your VSA instance safe from them.

Firewall

  • For on-premises environments, one of the most effective methods of security is to restrict access to your VSA server/web interface to only your internal network, with the exception of port 5721. By blocking the interface, you greatly reduce the attack vector introduced by the login screen. Port 5721, or whichever port you have configured, needs to remain open for agents to communicate with the server. Utilize a VPN for remote users to access VSA or whitelist their IPs as needed.
  • There is currently no option for this in Kaseya’s hosted environments.

Principle of Least Privilege

  • The principle of least privilege is the concept by which users are restricted to only the areas that they need to perform their job duties. In VSA, this can be accomplished using Roles and Scopes. Roles, control what Modules and Functions your users have access to while Scopes, control what Organizations, Machine Groups, and Machines your users have access to. We recommend creating a basic Role that provides technicians access to the Modules and Functions to perform basic helpdesk functions and building additional Roles as they are needed within your environment. It is important to remember, when creating a Role, to provide only the permissions you think the users might need. Be conservative with the permissions you are providing as you can always add additional permissions as needed and when adding permissions to a Role, be sure you are not adding them for one user. If not all users of a Role need the extra permissions, create another role to encompass what those users need.
  • We have provided a document that includes what we feel is a great starting point for a basic technician role: Basic VSA Technician Role

Server/Host App and SQL Patching

  • Keeping the operating systems of both the Application and SQL, and any associated hosts, up to date will ensure you have the latest security updates and assist in further deterrent of possible compromises.

FireEye Endpoint Security

  • FireEye Endpoint Security is available to all on-premises environments, at no cost, to assist in further protecting your VSA server. Reach out to your account manager for more details or to start the process of acquiring the agent.

VSA Patching

  • Like regularly updating your server, VSA application updates should be done regularly to ensure you have the latest features and security patches from Kaseya.

Multi-Factor Authentication

  • MFA has been made mandatory by Kaseya and for good reason. You can use any token vault that you have access to such as ITGlue, Authy, or Microsoft Authenticator.

Strong Passwords

  • VSA requires a minimum of 16-character passwords but can be increased if you prefer. We recommend using a password management tool to generate and save strong passwords. A password management tool encourages users to utilize randomized passwords, as the tool removes the need to memorize it, and has the added benefit of reducing the number of accounts using a single password. A few password management tools you can utilize are ITGlue, LastPass, and PassPortal.

Password Failure Lockout Attempts and Time

  • You can set the number of failed login attempts prior to an account being locked out as well as how long the lockout persists. We recommend 5 attempts as the maximum and 1 hour as the minimum.

Remove/Disable User Accounts Prior-to or Immediately after Departure from the Company

  • Be sure not to leave yourself vulnerable by neglecting to remove, disable, or otherwise secure an account of a previous employee. It is easier to forget to secure the account of an employee who left on great terms than an employee who was terminated but that account could become the gateway of nefarious activity.

Regularly review users and their assigned Roles/Scopes

  • In addition to removing user accounts that are no longer needed it is important to regularly review your users to verify they have the expected permissions

We hope that this list has provided worthwhile insights to helping you with securing your VSA and are always here to help with your VSA needs.