This document provides recommendations for hardening and implementing best practices for VSA on-premises installations.
On July 2nd, in response to a security incident, Kaseya recommended that all VSA on-premises customers shut down their VSA systems to prevent being compromised. Kaseya will issue a patch to mitigate the issue and the information below are recommendations for resuming VSA operations and hardening customer’s on-premises environment.
These steps consist of:
- Ensuring your VSA server is isolated from the network
- Check the system for Indicators of Compromise (IOC)
- Patch the underlying Operating Systems of the VSA Servers
- Use the URL Rewrite IIS functionality to control access to VSA through IIS
- Install FireEye Agent
- Remove Pending scripts/jobs
- Follow final instructions for installing the Kaseya VSA patch
Once you have installed the patch please confirm the IIS URL rewrite is in place. You may need to run the IIS URL rewriter tool. The link is located here: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993
The technical details of these steps are available at: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993
If Indicators of Compromise (IOC) are found or your VSA server was known to be compromised DO NOT return the VSA product to service. Contact Kaseya Support at http://helpdesk.kaesya.com and our team will work with customers individually to restore their VSA Product.
The following are recommendations for network configuration to limit access to the VSA:
- Limit access to the VSA Application/GUI to local IP addresses by blocking all inbound traffic except for port 5721 (the agent port). Administrators will only be able to access the application from the local network or by using a VPN to connect to the local network. Review Step 4 in the following document for whitelist IP recommendations for popular integrations: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993
- Restrict all access to IIS - Use the rewrite URL tool to configure IIS as outlined in Step 4 in the following document: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993
- MFA is required and enabled by default. Customers should review their system configuration to confirm administrative user accounts leverage MFA.
- Review user accounts and ensure only necessary accounts are configured on the VSA
- Ensure administrative access to the VSA is restricted to authorized users based on the principle of least privilege and use the VSA.
- Review access rights administrative user access using the product’s Roles (what functions a user has the right to access) and Scopes (What devices/agents/organizations a user has access to) – master access should only be granted where absolutely necessary.
- Leverage endpoint protection and SOC to protect the VSA server. Kaseya has provided FireEye’s service to all customers for free. Please review Step 5 in the following document to install FireEye’s service on your VSA: https://helpdesk.kaseya.com/hc/en-gb/articles/4403709150993
- Perform periodic reviews of the VSA product logs which include System Logs (e.g. user access) and Remote Control/Live Connect logs (e.g. what agents were accessed by admin users).
- Patch the underlying Microsoft Operating Systems, MS SQL Server and other infrastructure at least every 30 days and faster for critical updates.
- Monitor VSA Patch Updates and update to the latest VSA patch version as they are released at: https://helpdesk.kaseya.com/hc/en-gb/sections/360001193517-Release-Notes