Here are some best-practices when setting up your environment for the first time. Some of these topics are covered in the Security page of our documentation, but the following topics are what we here at Automox recommend.
Two-factor authentication (2FA) and single-sign on (SSO) greatly reduce the possibility of your account getting compromised.
When using 2FA, prefer the use of OTP (one-time pins) over mobile push. In the event mobile push is necessary, enable challenge-response features where possible to protect employees against authentication spam attacks.
If you have an SSO IDP, enable SSO for your organization:
SSO is beneficial in that it reduces the overall attack surface and prevents account sprawl. If you have many administrators in your Automox organization, SSO eliminates the need to track down that account when that person leaves the company.
SSO is beneficial in that it reduces the overall attack surface and prevents account sprawl. If you have many administrators in your Automox organization, SSO eliminates the need to track down that account when that person leaves the company.
Lower the threshold for which accounts lock after a certain number of failed login attempts.
Rate limiting sign-in attempts reduces the chance of successful brute-force or password spray attacks on your account. For more information on this feature, see Security → Login Attempts Settings.
Only create API keys if necessary, and if you do, set a reasonable expiration based on your company’s security policy.
Rotating API tokens reduces your overall attack surface. Keys that are handled by humans regularly should be rotated more often, while keys that are not accessed often or ever and are stored securely may warrant a longer expiration period.
Discard tokens that are no longer in use by auditing on a regular cadence. Store agent access keys in a secure vault or a secure location, never in plain-text in a publicly accessible location. See Managing Keys in our help docs.
When you create your first worklet, avoid (if possible) storing sensitive data like API tokens, secrets, or username/password combinations in them.
The --setexecdir
flag is a useful option for admins who need scripts run in a certain directory depending on security standards. For more information about this, see Change Automox Script Execution Location. See also Location of Files Required By Automox.
When adding users to manage your organization, only give the permissions they require for their job function.
Over-provisioning access could lead to unintended consequences. However, under-provisioning can create blockers and workflow interruptions for your team. It’s a balancing act, so find what works best for you and your team. When in doubt, use the principle of least-privilege. Refer also to our Automox Roles and Permissions documentation.