Security Best Practices

We care about your security! We’ve compiled some best practices to ensure that your ControlUp installation doesn't expose your environment or your users to security risks. You can read about the different ways ControlUp as a company protects the security of our customers on our website.

Here are our recommended security best practices divided by these topics:

Run the Latest Version of ControlUp

We are constantly adding security enhancements and fixes to our builds. To ensure you have the best and the latest options, always make sure you are running the latest build of ControlUp.

Some of our security enhancements affect the ControlUp Real-Time Console and some also impact the ControlUp Monitors and Agents. When you run the latest build, you must make sure that all monitors and agents are also the latest version.

For Hybrid-Cloud environments, you can find the latest build here.

• For details on upgrading your ControlUp Hybrid-Cloud, see this article.
• For details on upgrading your ControlUp On-premises, see this article.

The latest ControlUp Agent Windows installer packages can be found in our Download Center.

Secure ControlUp Logins

When your users are logging into ControlUp when working in the Hybrid-Cloud environment, you can ensure that while they are working in the product, they are securely communicating with the ControlUp components and your monitors.

Certificate-based Console and Monitor Authentication

Starting with version 8.5.1, you can enable certificate-based authentication between the ControlUp Consoles, ControlUp Monitors and the ControlUp backend services. This new security feature provides an additional layer of security as only those ControlUp Consoles and ControlUp Monitors that have the configured certificate installed can authenticate your ControlUp organization. You can either use a self-signed certificate or a certificate that is already used in your organization.

To learn more about this feature, check out the Certificate-based Console and Monitor Authentication article.

Use SAML for Insights and Web UI Logins

To further secure user logins into ControlUp, you can enable SAML (Security Assertion Markup Language)  which is the protocol ControlUp supports for setting up Single Sign-On (SSO). SSO enables users to reduce the number of logins they must perform from a single machine. When SSO is in use, users log into an Identity Provider (IdP) rather than into individual service providers (SPs) or applications. When users access any of the applications of the managed SPs, the IdP logs them in automatically.

Insights

ControlUp Insights has incorporated SSO support, enabling users to access Insights without logging into it directly. For details, see Insights.

Web UI

When accessing the web UI via a direct URL, you can configure SAML to enable Single Sign-On (SSO) authentication. The settings in the web UI enable you to set up a trust relationship between the URL hosting the web UI and your company's Identity Provider (IdP) so users can access the web UI securely.

For details, see SAML SSO for Solve On-prem

Secure ControlUp Agent Access

The ControlUp agent is a lightweight executable that is deployed on your managed and monitored machines to provide performance information and handle the execution of ControlUp actions on those machines. We have assembled a number of security best practices around the communication between the ControlUp agents and other ControlUp components. For a full list of recommendations, see Agent Security Best Practices. Here are the most important.

Certificate-based Agent Authentication

The most important recommendation is to enable certificate-based agent authentication between the agent machines and the ControlUp Monitors. You can enable ControlUp Agent machines to communicate only with those machines that can be authenticated via signed security certificates.

From version 8.2.5 you can also enforce this certificate-based authentication using agent MSI deployment.

For details, see Certificate-Based Agent Authentication.

Encrypt Agent Communication

You can select to encrypt the communication between all agents and all consoles and monitors within your ControlUp organization. This is an option you can select in the Agent Deployment Settings page of the Real-Time Console.

For details on how to enable this encryption option, see Agent Security Options in Agent Settings.

Communicate with Your Monitored Environments Securely

ControlUp monitors the machines, virtual machines, and servers in your infrastructure. We want to ensure that you set up your monitoring environment as securely as possible.

Active Directory and Domains

ControlUp can use your Active Directory (AD) to add ControlUp users and the machines we monitor.

• When creating user groups in your AD, use the principle of least privilege for managing your users. Start with a minimum set of permissions and if necessary, grant additional permissions.
• ControlUp monitors the machines added to your AD domains. Ensure the communication within those domains is secure.

Configure Shared Credentials

Shared Credentials are user credentials that are used to connect ControlUp to your monitored environments or to run script-based actions with a specific execution context. Making your credentials shared means that all authorized ControlUp users can use those credentials. User Credentials in ControlUp are managed in the Credentials Store and securely saved in the Windows user profile.

To make this username-password authentication stronger, we highly recommend that you protect the user identities by enforcing a strong password policy. In general, passwords should have at least one uppercase letter, one lowercase letter, one symbol, and one number. We recommend using passwords with a minimum of eight to twelve characters.

You can find more information on how to configure shared credentials in the Configuring Shared Credentials article.

Ports

We recommend you use firewalls to secure communication with your machines. As mentioned for ControlUp Agents, you should configure firewall inbound rules and these ports should be whitelisted and added to your access lists.

For a full list of ports used by ControlUp, see these articles:

• Communication Ports Used by ControlUp: Hybrid Cloud
• Communication Ports Used by ControlUp: On-Premises Mode

Configure Users and Permissions

Always remember to enforce the zero trust model's principle of least privileges. By assigning the least privileges and permissions to your ControlUp users, you ensure that your users have a minimum level of permissions needed to perform their work with ControlUp. If your users need additional permissions, you can always adjust the level.

Our Security Policy for Users and Permissions – Best Practices article outlines best practices for setting up fine-grained permission policies in the Security Policy Pane that you can manage in the Real-Time Console.

Manage Views in the Real-Time Console with a GPO template

ControlUp provides you more granular control over what UI elements your ControlUp users can see in the Real-Time Console. Using our GPO template, you can hide buttons, panes, or even specific columns in the data grid. To learn more about this feature, refer to the Configure ControlUp UI & Features Using a Group Policy article.