ControlUp Agent Security Best Practices

The ControlUp agent is a central component of the ControlUp architecture. It is a lightweight executable that is deployed on your managed machines to provide performance information and handle the execution of ControlUp actions on those machines.

Security Best Practice Recommendations

At ControlUp we care about your security and are committed to the protection of your infrastructure and data. These recommendations help reduce the risk of a potential attacker trying to manipulate a ControlUp Agent in case that potential attacker has already gained access to your internal environment.

Follow these best practices to secure the communication between ControlUp components so you can further minimize the risk of any intrusion into your organization’s networks and systems.

Secure Communication between ControlUp Console/Monitor and ControlUp Agents

The ControlUp agents deployed onto your machines must be able to communicate with the ControlUp Console and the ControlUp Monitors. You can secure this communication channel in several ways. 

  • Enable a Firewall Rule/Policy. This method is recommended as it’s relatively easy to implement and doesn’t rely on a ControlUp version.
  • Enable ControlUp IP ACL. This method requires ControlUp version 8.1.5 and higher.
  • Enable ControlUp Certificate-based agent authentication. To achieve the highest level of security, this is the recommended method and it requires ControlUp version 8.1.5 and higher.

Firewall Inbound Rule

On any computer running the ControlUp agent, you can enable a Firewall inbound rule that allows access to port 40705 only to authorized computers.

Machines added to this firewall inbound rule should ideally use static IP addresses. Add all the following:

  • Machines running the ControlUp Monitor service
  • Machines running the ControlUp Console

If you don't own a firewall for your network, we recommend using the built-in Windows firewall alongside a Group Policy to apply the firewall rule to all machines running the ControlUp Agent.

IP Access Control List

You can apply a restriction to the ControlUp agent machines to allow access to only machines that are included in a 'whitelist' of IP addresses. This IP Access Control List (IP ACL) can include specific IP addresses or in CIDR notation.

For details on how to configure this in the registry editor, see ControlUp Agent Access Control List (ACL).

Certificate-based Agent Authentication

You can enable ControlUp Agent machines to communicate only with those machines that can be authenticated via signed security certificates.  

For details on how to configure this certificate-based authentication between the agent machines and the ControlUp Console and Monitor machines, see Certificate-Based Agent Authentication.





Powered by Zendesk