Important Security Announcement

Hello LM Community!

Important Security Announcement
As part of our ongoing commitment to enhancing security for our customers, LogicMonitor will be requiring stronger security measures to protect your account. This page is to serve as both an announcement and a landing page for resources you may need. Your account will need to be in compliance with the following security mandates by December 31, 2024, to avoid any disruptions to your service. 

Please review the items below, and take appropriate actions to ensure a secure experience with LogicMonitor.

Security Mandates

• Two-Factor Authentication (2FA)
• Summary: Two-factor authentication (2FA) provides an extra layer of security for accessing any LogicMonitor account. With this upcoming change, users not using SSO (Single Sign-On) will be required to use 2FA. This means, in addition to a username and password, users will need to verify their identity using a third-party application such as Authy, an authentication token delivered via SMS/voice, or authenticate via email.
• Quick Reference Guide (QRG)  
• Supporting Documentation:
• Two-Factor Authentication
• Linux Collectors Least Privilege
• Summary:  Previously, LogicMonitor required collectors to use root credentials to collect data from the resources it monitored. As part of our commitment to increasing security standards, and meeting the feedback of our customer base, with the release of GD 36, we have introduced the capability of collectors to run using non-root credentials. We ask that customers promptly change to non-root credentials, which will improve security and reduce risk. Moving forward, LogicMonitor is requiring all Linux collectors to be migrated to run under non-root users. Our enhanced migration process allows this transition without uninstalling the collector or losing any data. Customers can follow either the prompt-based or silent migration processes to complete the transition.
• Quick Reference Guide (QRG)
• Supporting Documentation:
• Migrating Linux Collectors
• Installation Process
• Windows Collectors Least Privilege 
• Summary: Originally, LogicMonitor required Windows collectors to run using administrator (admin) credentials to collect data from the resources it monitored. As part of our commitment to the highest security standards, we have continued to invest in security features and risk mitigation for our customers. We have now extended the capabilities of collectors to utilize non-administrator (non-admin) credentials for data collection. 
  Moving forward, LogicMonitor is requiring all Windows collectors to be migrated to utilize non-administrator accounts to monitor their systems. Our enhanced migration process allows this transition, without uninstalling the collector or losing any data. Customers can follow the prompt-based migration processes to complete the transition to non-administrator accounts. 

• • Quick Reference Guides (QRG)
  • Supporting Documentation / How To Guides
    • Migrating Windows Collectors
    • Credentials for Accessing Remote Windows Computers
    • Setting up non-Admin for WMI on Windows
• API Tokens
• • Summary:  Roles within the LogicMonitor platform define the permissions and configurations that determine a user's interactions. The administrator role, in particular, grants permissions across all areas of the platform, enabling administrators to perform any action, including those that are security-sensitive.
  • REST API tokens are used to authenticate requests to the REST API, allowing users to programmatically manage their LogicMonitor resources, dashboards, devices, reports, services, alerts, collectors, datasources, scheduled downtime (SDTs), and more.
  • To enhance security and maintain the integrity of our systems, we disabled the ability for customers to create API tokens using LMSupport user accounts or the default administrator role. This restriction helps prevent unauthorized access and potential misuse of elevated permissions, ensuring that API keys are generated and managed within a controlled and secure framework.
  • The combination of out-of-box (OOB) admin permissions with the use of an API token poses significant risks, potentially leading to unauthorized actions and disruptions within an LogicMonitor portal. Therefore, if you have previously created an API token, using LMSupport user accounts or administrator roles, you need to migrate to a new API token created under a new user or role with appropriate permissions.
  • Quick Reference Guide (QRG)
  • Supporting Documentation:
    • API Tokens
    • API Best Practices Guide (coming soon!)

LogicMonitor Security Best Practices

• LogicMonitor Security Best Practices

If you have any questions or need assistance, please contact our Technical Support Team.