IP-restricted access to the console

Userlevel 4
I'm very confident with the security in WSA and the two-step logon, but as mentioned in other threads on this forum - the agent commands and other features are very strong tools. Because of the I often have customers requesting IP-restricted access to the console. They want the option to control what IP's that may be used when logging on to the console with their username.

12 replies

Userlevel 7
I agree with this request.
Userlevel 5
This is now under consideration. Security is key and we don't want there to be any concerns with the security of your management console. -We do monitor console login usage and behavior. If you change IP addresses while logged into the console it will request that you re-login. -If you fail to login 3 times in a row, you will be locked out. -Also we have the ability to block IP address access if we feel traffic is malicious. Lets get some more kudos from the community!
Badge +5
Why stop with IP why not MAC filtering as well...however, they are both it would only be an inconvenience rather than a real deterrant to someone really determined.  ;)
Userlevel 7
How would they filter by the MAC? 
Badge +5
Generally they wouldn't....the point was that it's not a real deterrent...
But if we are talking about features then why not ask to have a local client install bind to a MAC or hardware signature and then report back that MAC or hardware signature and filter by that and only allowed to modify or send commands etc from that...but then if the system crashes or changes you would have to contact Webroot support to reset.
I understand the concern and am really not opposed to these feature requests...but it really defeats the purpose of having a web accessible console that I can manage from home or while on vacation etc.  
In other words that's why I like the ability to be able to manage or solve a problem while not having to be in the office.
Not a reason to do without the feature as long as it's optional.
sorry for the late response :p
Userlevel 5
The real thing here is security vs usability. They could possibly make this so secure that it will no longer be usable by anybody and that's not what we all want. Webroot has to juggle with finding the middle ground between being secure and being usable. I had already given my kudos to this in the past as I think we should give people the option to select their own level of usability/security as such I'm for adding additional security options, but not for enabling them for everybody by default. That's the part of this suggestion that I really like.
+1 for managing our our security.  We have multiple DDNS addresses set up that we could provide (instead of IP addresses).  These DDNS addresses would of course correspond to any IP that a tech might connect from.  We can remote in to work, connection from home, our phones, etc.  If we can't use any of those...tough luck for us.
Userlevel 2
I made the same post for the GSM console.

company's and MSP's/Resellers want to be more in control over the access to the consoles. They don't want employees to login at home to control business computers for example. Therefore an ip adresss block or allow per user would be a great feature to have.

That it can be spoofed is not a problem because you still have a username + password + and the passphrase to login.
I'd just like to +1 on this.
It may not be useful for everyone, and it's not foolproof, but it's a relatively easy option that can definitely improve security. Payment processors such as Moneris, for example, have provided this feature for their online access for years.
I would support a restriction from one or more individual IP's, IP subnets, and/or IP ranges, to cover every possibility.
Userlevel 7
Badge +35
We are reviewing all feature requests - switching status to get it into the appropriate queue.
Userlevel 2
Badge +4
I would say the MFA is a better solution.  Please vote for that as well. see the suggestion named:
Add Google Authenticator two-factor authentication to Webroot SecureAnywhere business console login
Userlevel 7
Badge +35
Thank you for your suggestion. We are working on planning for our next stage of development and will definitely take this into consideration.