Agent Security Best Practices
    • Dark
      Light
    • PDF

    Agent Security Best Practices

    • Dark
      Light
    • PDF

    Article summary

    The ControlUp Agent is a central component of the ControlUp architecture. It is a lightweight executable that is deployed on your managed machines to provide performance information and handle the execution of ControlUp actions on those machines.

    Security Best Practice Recommendations

    At ControlUp we care about your security and are committed to the protection of your infrastructure and data. In case a potential attacker has already gained access to your internal environment, these recommendations help reduce the risk of the attacker trying to manipulate a ControlUp Agent.

    To secure the communication between ControlUp components so you can further minimize the risk of any intrusion into your organization’s networks and systems, follow these steps.

    Secure Communication between ControlUp Console/Monitor and ControlUp Agents

    The ControlUp agents deployed onto your machines must be able to communicate with the ControlUp Real-Time Console and the ControlUp Monitors. You can secure this communication channel by performing the following:

    • Make sure your monitored machines are running the ControlUp Agent version 8.7 or higher. This version includes important security enhancements.
    • Enable a Firewall Rule/Policy. This method is recommended as it’s relatively easy to implement and doesn’t rely on a ControlUp version.
    • Enable ControlUp Certificate-based agent authentication. To achieve the highest level of security, this requires ControlUp version 8.7 and higher.
    • Encrypt communication between the agents and all consoles and monitors.

    Firewall Inbound Rule

    On any computer running the ControlUp Agent, you can enable a firewall inbound rule that allows access to port 40705 only to authorized computers.

    Machines added to this firewall inbound rule should ideally use static IP addresses. Add all the following:

    • Machines running the ControlUp Monitor service
    • Machines running the ControlUp Real-Time Console

    If you don't own a firewall for your network, we recommend using the built-in Windows firewall alongside a Group Policy to apply the firewall rule to all machines running the ControlUp Agent.

    Certificate-based Agent Authentication

    You can enable ControlUp Agent machines to communicate only with those machines that can be authenticated via signed security certificates.  

    From version 8.2.5, you can also enforce this certificate-based authentication using the agent MSI deployment.

    For details on how to configure this certificate-based authentication between the agent machines and the Real-Time Console and monitor machines, see Certificate-Based Agent Authentication.

    Encrypt Agent Communication

    You can select to encrypt the communication between all agents and all consoles and monitors within your ControlUp organization. This is an option you can select in the Agent Deployment Settings page of the Real-Time Console.

    For details on how to enable this encryption option, see Agent Security Options in Agent Settings.


    Was this article helpful?