Feature Request: Limit Allowed IP Address Sign-In for specific accounts

[micoolpaul]

Hi,

Firstly: I appreciate this is going to be a very specific request and it might be too obscure to warrant the time investment, but if you don’t ask you never know.

I’d like to see a feature improvement for account authentication to enable specific accounts to only be allowed to sign in from specific IP addresses.

At present we can control access to the Web UI from Port 443, however this allows all accounts to sign in. I always recommend to customers to enable MFA to secure the accounts, so between MFA + restricted IP scope, there’s less risk of an attack. But the ‘service account’ used for VBR & VBfMA integration does not support MFA, undermining the security benefits that MFA brings. However as VBfMA can only integrate with a single VBR instance, I’d like to see the ability to lock these accounts down further via confirming the sign in request is coming from VBR’s IP address ONLY.

In summary, conditional access to the web UI using source IP as an evaluating factor in approving authentication.

Alternative ideas for securing further would be:
- Allowing this service account to sign in with certificate authentication
- Separating ports for VM integration from web UI.

This feature request is focused on security, if I need to enable port 443 on an Azure VM that gets compromised, it’s possible the attacker could then connect to the web UI and use a non-MFA’d account to sign in. Granted it’s not the easiest attack, but certainly possible.

[nielsengelen]

Hi Michael,

Clear request. We'll look into enhancements for a future release but for now I will not be able to tell when this (or a similar feature) will be available.