RMM Guard - Controlled RMM Access to Isolated Machines
planned
J
Jon Sale
When a machine is isolated by Huntress, approved RMM tools should still be able to connect when explicitly allowed by policy. However, access should not be granted based only on the RMM tool being approved.
To add another layer of protection, Huntress should verify both the technician’s identity and the trust status of the device initiating the remote session before allowing access to an isolated endpoint.
Proposed Behavior --
Remote access to an isolated machine should only be allowed when all of the following conditions are met:
Approved RMM Tool --
The remote access application must be listed as an approved RMM tool under RMM Guard or Application Control policy.
Trusted Technician Device --
The device initiating the remote session must:
Have the Huntress agent installed
Be actively enrolled and checking in
Be associated with the same Huntress account, organization, tenant, or site
Meet any required health or compliance checks
Authorized Technician:
The user initiating the session must
Be a valid Huntress user or authorized agent within the account
Have access based on assigned role, organization, tenant, or site permissions
Session Logging and Auditing:
Huntress should log all remote access attempts to isolated machines, including:
Technician identity
Source device
Target isolated device
RMM tool used
Source IP address
Session start and end time
Approval or denial status
Huntress should also learn normal remote access behavior over time. If an access attempt appears unusual, such as coming from a new device, different IP address, unexpected location, or abnormal time of day, Huntress should require additional approval before allowing the connection.
For example, Huntress could send an approval request by text message to predefined contacts either a general list or by assigning techs to specific huntress endpoints so a text only goes out to the user attached to the endpoint. The recipient could approve or deny the session by replying:
YES to allow the connection
NO to block the connection
This would help prevent unauthorized RMM access to isolated machines while still allowing approved technicians to respond quickly when remote remediation is needed.
This would also be great in general for non isolated machines.
A
Alan Helbush
This would be a great addition, assuming the established Huntress MFA method is already in place.
Chris Bisnett
marked this post as
planned
This is a great use case for leveraging our additional context, approved RMMs, and using it to inform other decisions to provide bettter security and user experience. We've talked for a long time about how we decide which other RMM tools should be allowed to communicate during isolation, and this should allow that.
I'm not sure if we'll be able to control which users connect and whether the machine they are connecting from has a live Huntress agent on it. I don't know if any of the RMM tools have that level of integration support, so that might require some changes to support that from the RMM side, but we should at least be able to allow the process to communicate over the network.