STOP! How outdated are your management scripts?

During a recent audit of an MSP's onboarding processes, I found several Agent Procedures that seemed interesting. I had not seen any other MSP performing some of these configuration steps, so I looked more deeply at the logic in these procedures. What I found would have turned any hair I had left white!
One procedure in particular was named "Set Access Rights for PerfMon Folders". "What PerfMon folders?" I wondered.. Looking at the procedure, the description stated that it was modifying the Kaseya working folder permissions to allow PerfMon to access the KLogs folder. It did this by changing the permissions to "Everyone:Full Control"! 
Looking closer, I was able to determine that this procedure was quite old, and likely developed for VSA version 6 or earlier and had never been updated. While it's possible that older versions of VSA did not provide adequate access to the KWorking folder, that is no longer the case. Administrators have full control, and even users have Read & Execute, so there is no issue with PerfMon reading this location. 
The most important thing to realize is that things change. If you have processes that haven't changed in years, it's time to afford them a review and decide if they are still needed, or in need of an update. This procedure, if not identified, would introduce significant risk into the MSP environment by granting Full Control rights to every account to a critical system folder. Imagine a malicious user could replace an EXE or update a script to call malware or ransomware. If the agent procedure doesn't replace these scripts and blindly calls them - often with SYSTEM rights - the damage could be extensive.
Why risk this? Take time to review your procedures and tools to make sure they are still required and operate in compliance with today's security model. Remove processes that are no longer needed, and update those that are still needed to follow current security requirements. The business you save might be your own!


Comments are closed on this post.