Ringfencing your RMM
RMMs are very powerful and useful tools. Providing a centralized location for managing and administering multiple endpoints across multiple businesses, if compromised, an attacker can gain access to your clients' data and then potentially exfiltrate that data. Cyber attacks are becoming more and more prevalent, and RMMs are a hot target, providing attackers the keys to your kingdom.
ThreatLocker recommends applying Ringfencing boundaries to your RMM policy to restrict its access to your protected files. If your RMM doesn't need to access the files on your endpoints, block it, and then it can't access that valuable data, limiting the potential damage in the event of a cyber attack.
To set up Ringfencing, navigate to Application Control > Policies. Locate your RMM policy. Our example is using Datto RMM, but the same concept applies to all RMMs.
Click the pencil icon (edit button) next to the policy. Scroll down to the 'Should this policy permit or deny execution' section and select 'Permit with Ringfence' from the dropdown menu.
Ringfencing File Access
To restrict the access the RMM agent has to your files, select the 'Files' tab, and click the checkbox next to 'Enable Advanced Ringfencing to protect access to files'. By default, this will include any network shares, any external storage such as USB drives, and on newer ThreatLocker deployments your Desktop and Documents folders.
For more detailed instructions on how to Ringfence file access, see our associated KB article here.
Ringfencing Internet Access
ThreatLocker also recommends restricting your RMM's access to the internet. Your RMM does need access to the internet, but it doesn't need access to the entire internet. Let ThreatLocker help you learn what domains or IPs that your RMM requires communication with, and create boundaries to block your RMM from accessing any site other than the trusted sites you have designated. Then if it is compromised, your RMM can not communicate with any command-and-control servers or any other untrusted IP address.
While your endpoints are in automatic learning mode (like they are by default when you deploy the ThreatLocker agent), ThreatLocker is going to automatically create internet exclusions as it observes and learns the behavior of your RMM. This helps build a picture of the behavior expected by your RMM, and when you are ready to secure your environment, you can lock down based on this expected behavior that ThreatLocker has learned without needing to manually create these exclusions.
To restrict the access the RMM agent has to the Internet, select the 'Internet' tab, and click the checkbox next to 'Restrict these applications from accessing the internet, except for the below rules'.
Under the 'Exclusions' tab, you can enter individual IP addresses, entire subnets, or domains. For detailed instructions on using Ringfencing Exclusions, see our KB article here.
The 'Custom Rules' tab is where you can add Tags to the policy. For more information on creating and using Tags, see our KB article here.
If your endpoints are not in learning mode, you may wish to set this policy to 'Monitor Only' for a week so you can make any adjustments necessary without impeding normal workflow.
To set a policy to 'Monitor Only' status, navigate to Application Control > Policies. Scroll to your RMM policy. In the 'Status column, select 'Monitor Only' from the dropdown box.
If you are Ringfencing your RMM for the first time, the RMM and endpoint agent must be shut down and restarted for the Ringfencing to take effect.
Taking these precautions, limiting your RMM's file and internet access, will prevent a threat actor from being able to exfiltrate your data or communicate with an outside IP to 'phone home' for instructions. Combined with ThreatLocker's Application Whitelisting and default-deny approach, which prevents any file that isn't expressly permitted from executing, will help mitigate the possible damage that can occur in the event of a cyber breach.