Table of contents
Advanced Security - 2FA for sensitive operations
Even with trusted users having access to a powerful tool as Panorama9 you might want to increase security when it comes to sensitive operations like executing a script on devices.
โ
Panorama9 allows for a secure way to control script execution with an authorization challenge.
Critical scripts can individually be set up to trigger an authorization challenge when attempted executed.
Complete separation of responsibility, a single user cannot request execution of script AND authorize the request.
To enable Advanced Security navigate to the MSP Control Panel -> "Extensions" -> "Advanced Security" tab. You need to be an MSP admin user role to access this.
Enable the "Advanced Security" option and configure the scripting security level. Follow the setup instructions in the modal that appears when pressing Save.
IMPORTANT: please save the QR icon to a safe location and keep it VERY secure. During setup click on the QR icon to download it. You can use the saved QR icon to setup additional device(s) (or recover 2FA setup)
Once configured any changes to the settings (as well as turning it off) will require a 2FA code!
We recommend Authy for generating 2FA codes, although we do support any 2FA compliant solution such as Google Authenticator and others.
How to make the process secure so 1 user cannot execute scripts
To ensure a single user cannot request execution of a script AND authorize it, those who can generate 2FA codes MUST NOT be able to request scripts for execution.
You will have to divide users into those who can request script execution and those who can authorize.
Example with 2 users:
User A has a Panorama9 account that can be used to login to the Panorama9 Dashboard and request scripts for execution.
User B has a mobile phone with Authy setup to generate 2FA codes.
User A can't have access to user B's mobile phone, and user B doesn't have a P9 account and can't login to the Panorama9 Dashboard.
As a result both user A and B are required before a script can run remotely.
When a script should be executed user A creates the tasks using the Panorama9 Dashboard, and requests a 2FA code from user B, which when entered will authorize the action.
Advanced Security code management
As mentioned above the QR code should be kept VERY safe.
With the QR code you can rebuild your authorization account if lost or create multiple authorization accounts for users in your organization.
This is handy if your organization is large and you need 2FA codes to be readily available to users.
Requiring authorization on individual scripts
After setting up Advanced Security you can configure if each MSP or Global script should be freely available for execution or met by an authorization challenge.
By default all scripts are required to be authorized from the outset which means you will have to individually edit and allow any script you deem acceptable to be executed freely by your MSP Manager or Supporter role users.
โ
Although it may seem as a hassle this will ensure the highest level of security whenever Panorama9 adds a new global script or someone in your own organization adds another MSP script.
For MSP scripts check the 'Allow script to be executed without Advanced Security authorization' to let the script be freely executed.
Similarly for Global scripts provided by Panorama9.
Executing a protected script from a Dashboard
If an MSP Manager or Supporter type user wishes to execute a script that is protected by Advanced Security an authorization code challenge is presented.
This will happen no matter from where the script is attempted executed, including when a scheduled Task is created (main menu "Tasks") and the API.
2FA code challenge when executing a protected script.
The user will then have to ask for a authorization code from a user managing the Advanced Security authorization account. Codes are generated automatically and have to be used before they expire.
For API endpoints you will need to supply the 2FA code in the request URL as a query string parameter: otp=<authorization_code>
If an endpoint requires a 2FA code and one is not supplied the server will respond with HTTP status 401 and header:
X-Panorama9-OTP: required
You will then have to repeat the request with the following query parameter added:otp=<2FA_code>If the 2FA code is invalid the server will respond with HTTP status 401 and header:
X-Panorama9-OTP: invalid
Further security considerations
To avoid a user circumventing the Advanced Security you will need to further disallow access to "Extensions", "Manage script repository" and "Manage dashboard users".
See below.
User permissions for MSP Manager and Supporter roles
For a more fine grained area and feature access control you can setup permissions on individual MSP users operating in client dashboards. This feature applies only to MSP Manager and Supporter type users.
Navigate to an MSP user you want to edit and click on "Customize" on the right hand side of the page. This will open a window where you can add or remove access to critical, moderate or low risk areas and features.
Set the sliders according to your needs and press "Update". Remember to also Update user afterwards!
Some notes regarding the listed categories.
"Issue" and "device remote tools" cover the context actions that can be taken on these items, e.g. Patch an issue or Remote Control a device.
"Patching" covers only the global Patch settings, not the on-demand patch actions on individual issues.
Note also that access to "Extensions" means a user has access to the Panorama9 API (access to API key) which presents similar actions on devices and issues as the UI.
"Manage Dashboard users". Normally MSP Manager and Supporter users can manage dashboard users from the Account site.
This may however present unwanted possibilities for the user from an administrator's point of view because the user can access a client dashboard using a different user account than his/her own. Either by changing password on an existing user or creating a new user.