Researcher Claims N-able Workgroup Guideline Exposes MSPs to Security Risk

N-able says only a small number of MSPs are at risk.

Edward Gately, Senior News Editor

October 29, 2021

7 Min Read
cloaked hacker
Shutterstock

Fundamental Cyber says N-able, the spinoff of SolarWinds’ MSP business, is undoing Microsoft’s built-in protections.

According to the Sweden-based company, N-able is recommending MSPs eliminate security safeguards, therefore exposing them to potentially devastating cyberattacks.

Fundamental Cyber is not a Solarwinds or N-able competitor. It just came across the N-able security flaws while conducting research.

In the aftermath of last year’s massive supply chain attack, SolarWinds said it was beefing up its security to better protect itself and its customers.

Sudhakar Ramakrishna is SolarWinds’ president and CEO. Back in March, he had this to say:

Ramakrisha-Sudhakar_SolarWinds.jpg

SolarWinds’ Sudhakar Ramakrishna

“We’ve added a level of security and review through tools, processes, automation and, where necessary, manual checks around our product development processes that we believe goes well beyond industry norms to ensure the integrity and security of all of our products. We firmly believe that the Orion software platform and related products, as well as all of our other products can be used by our customers without risk of the Sunburst malicious code.”

However, Fundamental Cyber’s research claims N-able‘s guidelines around Workgroup environments are putting MSPs at risk.

Fundamental Cyber assists companies with data protection, privacy law compliance and incident reporting.

David Williams is co-founder of Fundamental Cyber.

Williams-David_Foundational-Cyber.jpg

Fundamental Cyber’s David Williams

“The big picture is that N-able, which is meant to protect you, meant to protect your company, to add another level of protection, is actually undoing all of the built-in protection,” he said. “So they’re taking the most fundamental things that Microsoft puts there and disabling them, and then they’re using all the worst practices, like not just sharing a password and a username, but actually setting all of the computers at an administrator level. So they all have the power to do a lot of harm.”

Lewis Pope is head security nerd for N-able.

“As a documented best practice, N-able advises MSPs deploy agents directly to each workstation rather than use probes in a Workgroup environment,” he said. “There is an extremely small number of MSP customers who are not leveraging Active Directory (AD), and for them we make explicit in our documentation that we do not recommend using probes. MSPs who do not follow this best practice recommendation are knowingly taking a risk.”

N-central Probe Instructions

N-central is N-able‘s flagship remote monitoring and management solution for MSPs. The instructions for setting up a probe in a Workgroup includes the following:

Before installing a probe in a Workgroup:

  • Ensure that all the computers in the workgroup have an administrator account with the same username and password.

  • Ensure that the password has no expiry.

  • The account cannot be a member of any other group other than administrators.

  • Login to each computer on the workgroup using this account at least once.

  • Disable user access control (UAC) for this account as it can interfere with Windows Management Instrumentation (WMI) queries from the probe.

Matthew Carr is co-founder of Fundamental Cyber.

Carr-Matthew_Foundational-Cyber.jpg

Fundamental Cyber’s Matthew Carr

“A probe is essentially a bit of software that sits on each machine or server,” he said. “What it’s asking you to do here is ensure that all the computers have an administrator account with the same username and password. That right there means that now if I’ve got access to one, I have access to all. Secondly, there are no password expiries. Arguably, if I’ve got access now, in five years it’s still going to work and I’m still going to access all of the machines in the organization. The account must be an administrator.”

The worst part is disabling UAC for the account, Carr said.

Microsoft‘s guides will tell you that UAC is a fundamental component of Microsoft’s overall security vision to mitigate the impact of malware,” he said. “So straight out of the gate, you just installed your first probe and you’ve disabled one of the most fundamental parts of Microsoft’s security.”

N-able points out that below the instructions, it states “we do not recommend using the probe to deploy in a Workgroup due to the number of file sharing and permission issues in a Workgroup that can interfere with the probe’s ability to push agents.”

N-able also said the instructions have since been updated.

Remote Code Access

In October alone, there were more than 21 Microsoft Word remote code execution vulnerabilities, Carr said.

“That doesn’t include all the ones that are sold by zero-day brokers to governments,” he said. “That doesn’t include the ones that are sat on by organized criminals or hackers. There are 21 ways that I can execute code remotely on your Windows machines.”

Several of these vulnerabilities affect …

… Word, Excel and SharePoint, Carr said.

“You won’t find an organization that doesn’t run those,” he said. “When you couple this with the fact that most organizations have a very slow patch cycle – we’re talking about 30, 60 or 90 days, sometimes even just yearly or just before they get an audit – it’s not difficult to imagine that someone can get that access.”

Even if an organization is good at patching, there could be a remote office that doesn’t patch very often, Carr said.

“So using one of these, you’re going to get your remote code access,” he said. “Thanks to the work that N-Able has asked you to do on the attacker’s behalf, you’re in ‘god mode.’ There is nothing you couldn’t do. You would absolutely be able to operate completely undetectable. It’s a horrible place for a company to be.”

N-able is asking MSPs to allow all inbound files, and malware comes in the form of a file, Carr said.

“Your domain controller is the absolute root of all of your identity and access management,” he said. “So to put this simply, what that means is that as an attacker, I’ve come onto the system, I’ve disabled N-Able, I’m now a domain administrator, and I can extract every single username and password, and email of all your staff that work in your organization. If you keep customer information in your domain controller, I’ve got that, too. The level of access I’ve got means I can move malware in and out of that environment freely and undetected. And given the level of access, there is no protection.”

N-able Responds

Pope said from a practical, day-to-day perspective when dealing with Workgroup computers, the use of N-central probes should really be off the table as a recommended method of deployment for the obvious security reasons listed by Fundamental Cyber.

“When working with Workgroup computers, the only secure option is to install agents individually on endpoints to bring them under management,” he said. “Yes, this will involve labor and time, but it’s the same amount of effort to touch the individual endpoints, and add the required administrator account and credentials so you can deploy via probe as it is to just install the N-central agent on the individual endpoints. This isn’t a unique problem for N-central. All remote monitoring and management (RMM) solutions and AD enrollment will face the same challenge with Workgroup computers. At some point, someone will have to touch a device to enroll it in AD or an RMM solution if it is not already under management by some type of platform.”

With regards to the UAC, the requirement to disable was an error. N-able says it will update its support page to remove that requirement.

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like