Agent Security Best Practices
The ControlUp Agent is a central component of the ControlUp architecture. It is a lightweight executable that is deployed on your managed machines to provide performance information and handle the execution of ControlUp actions on those machines.
Security Best Practice Recommendations
At ControlUp we care about your security and are committed to the protection of your infrastructure and data. These recommendations help reduce the risk of a potential attacker trying to manipulate a ControlUp Agent in case that potential attacker has already gained access to your internal environment.
Follow these steps to secure the communication between ControlUp components so you can further minimize the risk of any intrusion into your organization’s networks and systems.
Secure Communication between ControlUp Console/Monitor and ControlUp Agents
The ControlUp agents deployed onto your machines must be able to communicate with the ControlUp Real-Time Console and the ControlUp Monitors. You can secure this communication channel by performing these steps:
- Make sure your monitored machines are running the ControlUp Agent version 8.2.5 or higher. This version includes important security enhancements.
- Enable a Firewall Rule/Policy. This method is recommended as it’s relatively easy to implement and doesn’t rely on a ControlUp version.
- Enable ControlUp Certificate-based agent authentication. To achieve the highest level of security, this requires ControlUp version 8.1.5 and higher.
- Encrypt communication between the agents and all consoles and monitors.
Firewall Inbound Rule
On any computer running the ControlUp Agent, you can enable a firewall inbound rule that allows access to port 40705 only to authorized computers.
Machines added to this firewall inbound rule should ideally use static IP addresses. Add all the following:
- Machines running the ControlUp Monitor service
- Machines running the ControlUp Real-Time Console
If you don't own a firewall for your network, we recommend using the built-in Windows firewall alongside a Group Policy to apply the firewall rule to all machines running the ControlUp Agent.
Certificate-based Agent Authentication
You can enable ControlUp Agent machines to communicate only with those machines that can be authenticated via signed security certificates.
From version 8.2.5, you can also enforce this certificate-based authentication using the agent MSI deployment.
For details on how to configure this certificate-based authentication between the agent machines and the Real-Time Console and monitor machines, see Certificate-Based Agent Authentication.
Encrypt Agent Communication
You can select to encrypt the communication between all agents and all consoles and monitors within your ControlUp organization. This is an option you can select in the Agent Deployment Settings page of the Real-Time Console.
For details on how to enable this encryption option, see Agent Security Options in Agent Settings.