Q Labs relies on a series of security tools and processes to keep your data and clients safe. We will only access your tools from a single IP address which clients can find in our onboarding documents. Access to the Zero Trust VPN service we use is restricted to devices with Sentinel One updated and active, DUO 2FA used for console logon and privilege Escalation, as well as the “Known Good Host” features of DUO wherein a X.509 certificate is installed on company owned and approved devices to perform a successful 2FA signon.

Our code is signed with an Extended Verification (EV) code signing certificate. To sign the code, a hardware token is required (which I keep secured in my office) preventing the code from being tampered with or altered. As well as ensuring the code we use is scrutinized by me before signing.

**Security note for your tools. DattoRMM does not check the signature on components and forces Powershell to bypass the execution policy on the system account. As the Kaseya VSA hack showed us, your tools can be weaponized against you. If an attacker gains access to your RMM with an account that can create/alter and run components, the attacker can take out all your clients. Please use 2FA, IP restriction policies at the very least. Additionally you can add a product like ThreatLocker to restrict what the RMM can do. It is however important that you configure ThreatLocker correctly. If you allow all components to run based on the root path of where components are ran from, you end up with no protection from a malicious attacker weaponizing your RMM.

Please enforce the same protections on any tools you use that can run commands on a clients infrastructure. This may include your AV, Backup, and even some security products.