Researcher Claims N-able Guideline Exposes MSPs to Security Risk

Researcher Claims N-able Workgroup Guideline Exposes MSPs to Security Risk

Written by Edward Gately
October 29, 2021

N-able says only a small number of MSPs are at risk.

Fundamental Cyber says N-able, the spinoff of SolarWinds’ MSP business, is undoing Microsoft’s built-in protections.

According to the Sweden-based company, N-able is recommending MSPs eliminate security safeguards, therefore exposing them to potentially devastating cyberattacks.

Fundamental Cyber is not a Solarwinds or N-able competitor. It just came across the N-able security flaws while conducting research.

In the aftermath of last year’s massive supply chain attack, SolarWinds said it was beefing up its security to better protect itself and its customers.

Sudhakar Ramakrishna is SolarWinds’ president and CEO. Back in March, he had this to say:

SolarWinds’ Sudhakar Ramakrishna

“We’ve added a level of security and review through tools, processes, automation and, where necessary, manual checks around our product development processes that we believe goes well beyond industry norms to ensure the integrity and security of all of our products. We firmly believe that the Orion software platform and related products, as well as all of our other products can be used by our customers without risk of the Sunburst malicious code.”

However, Fundamental Cyber’s research claims N-able‘s guidelines around Workgroup environments are putting MSPs at risk.

Fundamental Cyber assists companies with data protection, privacy law compliance and incident reporting.

David Williams is co-founder of Fundamental Cyber.

Fundamental Cyber’s David Williams

“The big picture is that N-able, which is meant to protect you, meant to protect your company, to add another level of protection, is actually undoing all of the built-in protection,” he said. “So they’re taking the most fundamental things that Microsoft puts there and disabling them, and then they’re using all the worst practices, like not just sharing a password and a username, but actually setting all of the computers at an administrator level. So they all have the power to do a lot of harm.”

Lewis Pope is head security nerd for N-able.

“As a documented best practice, N-able advises MSPs deploy agents directly to each workstation rather than use probes in a Workgroup environment,” he said. “There is an extremely small number of MSP customers who are not leveraging Active Directory (AD), and for them we make explicit in our documentation that we do not recommend using probes. MSPs who do not follow this best practice recommendation are knowingly taking a risk.”

N-central Probe Instructions

N-central is N-able‘s flagship remote monitoring and management solution for MSPs. The instructions for setting up a probe in a Workgroup includes the following:

Before installing a probe in a Workgroup:

Ensure that all the computers in the workgroup have an administrator account with the same username and password.
Ensure that the password has no expiry.
The account cannot be a member of any other group other than administrators.
Login to each computer on the workgroup using this account at least once.
Disable user access control (UAC) for this account as it can interfere with Windows Management Instrumentation (WMI) queries from the probe.

Matthew Carr is co-founder of Fundamental Cyber.

Fundamental Cyber’s Matthew Carr

“A probe is essentially a bit of software that sits on each machine or server,” he said. “What it’s asking you to do here is ensure that all the computers have an administrator account with the same username and password. That right there means that now if I’ve got access to one, I have access to all. Secondly, there are no password expiries. Arguably, if I’ve got access now, in five years it’s still going to work and I’m still going to access all of the machines in the organization. The account must be an administrator.”

The worst part is disabling UAC for the account, Carr said.

“Microsoft‘s guides will tell you that UAC is a fundamental component of Microsoft’s overall security vision to mitigate the impact of malware,” he said. “So straight out of the gate, you just installed your first probe and you’ve disabled one of the most fundamental parts of Microsoft’s security.”

N-able points out that below the instructions, it states “we do not recommend using the probe to deploy in a Workgroup due to the number of file sharing and permission issues in a Workgroup that can interfere with the probe’s ability to push agents.”

N-able also said the instructions have since been updated.

Remote Code Access

In October alone, there were more than 21 Microsoft Word remote code execution vulnerabilities, Carr said.

“That doesn’t include all the ones that are sold by zero-day brokers to governments,” he said. “That doesn’t include the ones that are sat on by organized criminals or hackers. There are 21 ways that I can execute code remotely on your Windows machines.”

Several of these vulnerabilities affect …