Hello LM Community!
Important Security Announcement
As part of our ongoing commitment to enhancing security for our customers, LogicMonitor will be requiring stronger security measures to protect your account. This page is to serve as both an announcement and a landing page for resources you may need. Your account will need to be in compliance with the following security mandates by December 31, 2024, to avoid any disruptions to your service.
Please review the items below, and take appropriate actions to ensure a secure experience with LogicMonitor.
Security Mandates
- Two-Factor Authentication (2FA)
- Summary: Two-factor authentication (2FA) provides an extra layer of security for accessing any LogicMonitor account. With this upcoming change, users not using SSO (Single Sign-On) will be required to use 2FA. This means, in addition to a username and password, users will need to verify their identity using a third-party application such as Authy, an authentication token delivered via SMS/voice, or authenticate via email.
- Quick Reference Guide (QRG)
- Supporting Documentation:
- Linux Collectors Least Privilege
- Summary: Previously, LogicMonitor required collectors to use root credentials to collect data from the resources it monitored. As part of our commitment to increasing security standards, and meeting the feedback of our customer base, with the release of GD 36, we have introduced the capability of collectors to run using non-root credentials. We ask that customers promptly change to non-root credentials, which will improve security and reduce risk. Moving forward, LogicMonitor is requiring all Linux collectors to be migrated to run under non-root users. Our enhanced migration process allows this transition without uninstalling the collector or losing any data. Customers can follow either the prompt-based or silent migration processes to complete the transition.
- Quick Reference Guide (QRG)
- Supporting Documentation:
- Windows Collectors Least Privilege
- Summary: Originally, LogicMonitor required Windows collectors to run using administrator (admin) credentials to collect data from the resources it monitored. As part of our commitment to the highest security standards, we have continued to invest in security features and risk mitigation for our customers. We have now extended the capabilities of collectors to utilize non-administrator (non-admin) credentials for data collection.
Moving forward, LogicMonitor is requiring all Windows collectors to be migrated to utilize non-administrator accounts to monitor their systems. Our enhanced migration process allows this transition, without uninstalling the collector or losing any data. Customers can follow the prompt-based migration processes to complete the transition to non-administrator accounts. - Non-admin essentially means moving away from an excessively privileged account for monitoring.
Update on the Windows Collectors Least Privilege Security Mandate:
What happens at the end of the year if collectors are still using administrative privileged accounts for the collector service and query user?
Based on our customers’ unique environmental landscape and needs, if the collector is still configured to use accounts with Administrative privileges on December 31, 2024, we will not prevent collectors from communicating with LogicMonitor. We do however strongly recommend you utilize non-administrator accounts to monitor your systems as our migration process allows this transition, without uninstalling the collector or losing any data. We understand that 100% compliance with a non-admin is not possible, if the technology you’re monitoring REQUIRES administrative privileges. Logic Monitor is currently reviewing the best options in order to limit the attack surface in these scenarios, while also minimizing disruptions. Once we have refined the solutions that best fit customers’ unique circumstances, we will provide ample timing for our customers to implement any required changes.The goal of this security mandate is not to dictate how customers manage Windows accounts, but rather to help our customers better adopt security best practices (Principle of Least Privilege), as it relates to the collector service user and collector query user.
-
- Quick Reference Guides (QRG)
- Supporting Documentation / How To Guides
- API Tokens
- Summary: Roles within the LogicMonitor platform define the permissions and configurations that determine a user's interactions. The administrator role, in particular, grants permissions across all areas of the platform, enabling administrators to perform any action, including those that are security-sensitive.
- REST API tokens are used to authenticate requests to the REST API, allowing users to programmatically manage their LogicMonitor resources, dashboards, devices, reports, services, alerts, collectors, datasources, scheduled downtime (SDTs), and more.
- To enhance security and maintain the integrity of our systems, we disabled the ability for customers to create API tokens using LMSupport user accounts or the default administrator role. This restriction helps prevent unauthorized access and potential misuse of elevated permissions, ensuring that API keys are generated and managed within a controlled and secure framework.
- The combination of out-of-box (OOB) admin permissions with the use of an API token poses significant risks, potentially leading to unauthorized actions and disruptions within an LogicMonitor portal. Therefore, if you have previously created an API token, using LMSupport user accounts or administrator roles, you need to migrate to a new API token created under a new user or role with appropriate permissions.
- Quick Reference Guide (QRG)
- Supporting Documentation:
- API Tokens
- API Best Practices Guide (coming soon!)
LogicMonitor Security Best Practices
If you have any questions or need assistance, please contact our Technical Support Team.
Access exclusive insights and technical expertise from the LogicMonitor Product Team in our dedicated forum. Stay informed about product updates, enhancements, and advanced troubleshooting techniques straight from the experts themselves. Engage with fellow users, ask questions, and gain valuable insights to optimize your monitoring infrastructure. Join the discussion today and elevate your monitoring capabilities with LogicMonitor.