Best Practice for MSP with Shared Account for Server Logons

Hello!

My company, an MSP, is implementing AuthPoint on our environment with the intent to offer this for clients as well. However, one of our concerns is the fact that in our client's environments we have a shared account that all of our techs use to log in to servers, rather than individual accounts for our techs on each client's environment.

From my understanding, we would need to have each and every technician set up a token in their app for these shared accounts if we're to use the Logon App for this account. This is not particularly scalable.

Is there something I'm missing, or is there no simple way for MSPs and their techs to authenticate to the Logon App without having a bunch of tokens?

FYI these would all be LDAP-sync'd environments, no local AuthPoint users.

Comments

  • This is security right? So, each person gets their own key.

    Or (and I would not allow this) just have your MSP be in an AD group that does not require 2FA.

  • edited August 2022

    Technically best security practice in general is to do away with role accounts. A lot of MSPs are getting cracked down on and are beginning to be required to do away with role accounts in order to meet compliant regulations for certain things now.

    TechIDManager is a thirdparty tool built to allow MSPs to build specific accounts and make it so that managing user turndown and turn up isn't a pain....

    Otherwise it is ill advised to turn off MFA on an account with privileged access due to malware and how that account (just like a client account) could be potentially breached. I have seen some companies do multiple tokens or one shared cellphone that needed approval (or someone who centrally held the phone).

    Beyond this I am not sure what else would work.... the only thing I could imagine is maybe Inherited users but that would require the account to be the same password in both AuthPoint and on the machine in question.... It works great on VPN but haven't had a chance to test on logon app.

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/authpoint/user_inheritance.html#:~:text=User inheritance enables Service Providers,to resources for that account.

    Regards,

    ~T

  • I agree we would prefer not to have a privileged account with no MFA.

    We looked into inherited users, but I guess I'm not quite understanding how we might integrate that with an AD domain user for each client.

  • @James_S512

    One possibility to be a bit more secure would be to have an AD group that is connected to Okta for access. There are a bit more options for Okta than there is for AuthPoint. We have a number of credentialed accounts (healthcare) where we have no option but to have multiple people in multiple locations access an account. Okta was our solution (more so being as the people change not infrequently).

    Plus, if you are an MSP why not authenticate from an RDS server at your offices that has a secure connection in? Heck, I have even seen BOVPN a time or two to MSP's for access to specific resources....so, come from a trusted IP and trusted network to start with. If I had to count the number of times a day I connect to my PC (SSLVPN or IKE) and then go from my PC to another system....

Sign In to comment.