What recommendations do folks have for hardening the security of a BigFix Relay that services endpoints that are outside our corporate network? We’ve done the typical things like turning on Enhanced Security and limiting traffic to only specific TCP/UDP ports.
Are there other recommendations that folks have?
No brainer ones…
Use TCL or some other non-Windows OS for your relays. We have and handful of distributed relays in the Azure cloud.
Lock down the /rd (remote diag) on the relay which is the default in 9.5.8 I believe.
For something with a bit more thought… enable encryption via the admin tool.
@AlexaVonTess is dead on if you’re putting a BESRelay in your company’s DMZ.
Another option would be to implement a reverse proxy rule at your Internet facing firewall and transport TCP traffic on 52311 to an appropriate BESRelay inside the corporate network that has the Relay Diagnostic disabled or password protected.