How to stay Safe and Secure your Critical Business Systems such as Autotask PSA and DattoRMM

In light of recent security breaches with some MSP related software, at Sondela we have been working with some customers to ensure that they have the security in place for their critical business systems such as Autotask PSA and DattoRMM.

If you are using Autotask there are few steps you can take right now to secure the system as much as possible.

1 Use SSO instead of 2FA

Use SSO (with Microsoft 365) instead of 2FA (I would recommend doing this for extra security). This is actually very easy to set up and there is an article here to help.

Set up SSO in Autotask

(If you do still need to use 2FA then make sure you have a strong password policy set up in Autotask.  Which you can do by going to Admin>System Settings> Password Requirements and click the edit button. (See Screen below for information)

As well as the above, you can also change the settings in the Admin/SystemSetttings to change the number of attempts before the password is locked.  I recommend changing this to 3.

2. Use Random Passwords for All API Users.

My Recommendation is to use random usernames and passwords for your API accounts and make sure where possible to choose the integration vendor associated with the product that you are looking to secure. I would recommend changing the API username and passwords for all your integration passwords and reset them up so that you are using the latest version of the API credentials.  I would also recommend changing the API password (at the very least) every few months and change the username every 6 months or so (which in most cases would require you to re-set the integration)

3. Remove all unused API Accounts

Remove all API accounts that are no longer needed. If you are not going to use that integration again, then you should redact them rather than just inactivate them so that it completely destroys all information associated with that account.  If there is ever a security breach with that company at least your details will never be able to be used.

4. Check Security Level for All users

Check Security Level for all accounts and make sure that all users have the correct level for their job role. I see too many people leaving everyone as a “System Admin” which gives them access to the entire system.

5. Remove all unused User Accounts(Resources)

Remove all unused user accounts (inactivate or redact them if need

6. Use Protected Fields and Encryption when storing passwords

If you are storing passwords in the Config items, make sure they are stored in Protected fields (and secured so that only certain users can see them) and you have turned on encryption which is a feature of the Configuration Items User Defined fields

7. Changing your user name in Autotask

You can also use a different login to Autotask rather than your email address. Many people I speak to think that the username you use to login to Autotask needs to be your email address.  It actually does not.  You can login with anything you want.   For example, I use a random username (stored in 1password) to connect.   Here is an example of the username in Autotask which does not match any of my actual email addresses on my domains.  For example here is my username

It goes without saying, nothing you do will 100% protect you from a Cyber Attack but using these 7 steps will go a long way to mitigating an attack.

If you have any questions or comments or need help setting any of this up, please contact us  here