RMMs are very powerful and useful tools. They provide a centralized location for managing and administering multiple endpoints across multiple businesses. If compromised, an attacker can gain access to your valuable data and then potentially exfiltrate that data. Cyber attacks are becoming increasingly prevalent, and RMMs are a hot target, providing attackers with the keys to your kingdom.
ThreatLocker recommends applying Ringfencing boundaries to your RMM policy to restrict its access to your protected files. If your RMM doesn't need to access the files on your endpoints, block it. This way, it can't access your valuable data, limiting the potential damage in the event of a cyber-attack.
To set up Ringfencing, navigate to ‘Application Control’ using the ‘Modules’ dropdown on the left-hand side of the page. Once in Application Control, select the ‘Policies’ tab from the right corner of the page.
Our example uses Datto RMM, but the same concept applies to all RMMs.
Select the policy, and a side panel will open on the right side of the page titled ‘Edit Application Policy’. From here, navigate to the ‘Actions’ section of the page. Here, there are three choices labeled ‘Permit’, ‘Permit with Ringfence’, and ‘Deny’. Select ‘Permit with Ringfence’.
Ringfencing File Access
To restrict the RMM agent's access to your files, navigate to the switch labeled ‘Restrict this application from accessing files?’ and make sure it is turned ‘On'. By default, this will include any network shares, external storage such as USB drives, and your Desktop and Documents folders.
For more detailed instructions on how to Ringfence file access, navigate to the following article:
Ringfencing Internet Access
ThreatLocker also recommends restricting your RMM's access to the internet. Your RMM does need access to the internet, but doesn't need access to the entire internet. Let ThreatLocker help you learn the domains or IPs that your RMM requires communication with and create boundaries to block your RMM from accessing any site other than your designated trusted sites. Then, if it is compromised, your RMM cannot communicate with any command-and-control servers or other untrusted IP addresses.
While your endpoints are in automatic Learning Mode (like they are by default when you deploy the ThreatLocker agent), ThreatLocker will automatically create internet exclusions as it observes and learns the behavior of your RMM. This helps build a picture of the behavior expected by your RMM. When you are ready to secure your environment, you can lock down based on this expected behavior that ThreatLocker has learned without manually creating these exclusions.
To restrict the RMM agent's access to the Internet, navigate to the ‘Policies’ page and select your RMM policy. Navigate to the bottom of the ‘Edit Application Policy’ page, then within the action tab, make sure that ‘Permit with Ringfence’ is selected. Under the ‘Restrict this application from accessing the internet?’ section, ensure it is switched on.
Under the 'Exclusions' tab, you can enter individual IP addresses, entire subnets, or domains. For detailed instructions on using Ringfencing Exclusions, navigate to the following article:
The 'Tags' tab allows you to assign tags to the policy. For more information on creating and using Tags, navigate to the following article:
If your endpoints are not in learning mode, you may wish to set this policy to 'Monitor Only' for a week so you can make any adjustments necessary without impeding normal workflow.
To set a policy to 'Monitor Only' status, navigate to Application Control > Policies. Locate your RMM policy. Select ' Monitor ' in the 'Status’ column from the dropdown box.
Limiting your RMM's file and internet access will prevent a threat actor from exfiltrating your data or communicating with an outside IP to 'phone home' for instructions. Combined with ThreatLocker's Application Allowlisting and default-deny approach, which prevents any file that isn't expressly permitted from executing, this will help mitigate the possible damage that can occur in the event of a cyber breach.
Note: Any changes made to 'Internet Exclusions’ will update immediately after the ‘Add’ button is pressed and be applied to the policy.