Click to toggle navigation menu.

MSP Cyberattack Defense: A Practical Playbook

< BACK

By Ryan Windt | Head of Growth Marketing | Updated March 2026

Managed service providers remain high-value targets for a straightforward reason: compromise one MSP and you have a path into every client environment they manage. The biggest drivers of incidents today are abuse of remote access tools (RMM and screen-sharing) and identity takeovers that bypass legacy MFA. This playbook covers what to fix first, mapped to the controls most cyber insurers expect before they quote.

The controls below connect directly to three companion posts worth reading alongside this one: the Cyber Insurance Requirements Checklist for the underwriting perspective, the MSP RMM Hardening guide for a deeper dive on remote tool controls, and the SaaS Security Playbook for OAuth and app governance specifics.

Controls That Actually Move Risk and Premiums

Before getting into each area, here is the priority order underwriters use when evaluating an MSP application:

  1. Identity and access: phishing-resistant MFA for all admins and remote access, Conditional Access, just-in-time privilege
  2. Remote tools: RMM and screen-sharing treated as Tier 0, locked down with SSO and MFA, monitored, dual-control on high-risk actions
  3. SaaS and OAuth: end-user app consent disabled, admin approval workflows, legacy authentication blocked
  4. Endpoint protection and patching: EDR on 100% of endpoints and servers, tight patch SLAs for remote access tools and known-exploited vulnerabilities
  5. Backups: 3-2-1-1-0 with at least one immutable or air-gapped copy, quarterly tested restores
  6. Logging and detection: centralized identity, email, endpoint, RMM, firewall, and SaaS admin logs, approximately 12 months retention
  7. Attack surface: no exposed RDP or admin portals, everything sensitive behind VPN or Zero-Trust with strong MFA

1. Identity First: Kill Phishable Logins

Identity compromise is the starting point for the majority of MSP incidents. Fixing it first reduces your exposure more than any other single control.

Enforce phishing-resistant MFA (FIDO2 security keys, passkeys, or certificate-based authentication) for all administrators, remote access, and high-risk applications. App-based TOTP is no longer sufficient for administrator accounts at most carriers.

Remove standing global admin accounts entirely. Use just-in-time privilege elevation with time-bound approvals and reason codes for Microsoft 365, Azure, and other critical platforms. The goal is zero accounts with persistent global admin rights.

Apply Conditional Access policies that require compliant devices for admin portal access, block risky sign-in signals such as impossible travel or unfamiliar locations, and step up MFA for sensitive actions.

Rotate local admin passwords automatically using Windows LAPS or an equivalent solution. Never reuse local credentials across machines. Disable legacy protocols (POP, IMAP, SMTP Auth, Basic authentication) wherever possible.

Carriers increasingly require evidence of phishing-resistant MFA and privileged access controls before offering favorable terms on an MSP policy.

2. Remote Tools: Treat RMM as Tier 0

RMM platforms, screen-sharing tools, and help-desk systems are the highest-value targets in an MSP environment. A compromised RMM is a compromised client base. For a full breakdown of RMM-specific controls, see the MSP RMM Hardening guide.

The baseline requirements:

Do not install RMM agents on Domain Controllers. Avoid server installs unless strictly required. Require signed agents and block user-installed remote tools through application control. Alert on any new remote-access binaries appearing in your environment.

Enforce SSO with phishing-resistant MFA for all RMM access. Restrict access by IP or VPN. Log and record privileged sessions where feasible. Require approvals and dual control for high-risk actions including script deployment, registry edits, and mass software changes.

Maintain out-of-band communications and separate break-glass credentials for emergencies. Rotate immediately after any use.

Lock down your help-desk verification process. No password resets, MFA factor enrollments, or privilege changes should be processed via chat or ticket alone. Call back only to pre-verified numbers. Require multi-person approval for any privilege escalation. Attackers specifically target weak help-desk workflows because they are the path of least resistance past strong technical controls.

SaaS environments create risk through misconfiguration, excessive permissions, and malicious OAuth consent. For a comprehensive treatment of SaaS-specific controls, see the SaaS Security Playbook.

The critical actions:

Disable end-user consent to third-party applications entirely. Route all app approvals through admin consent workflows. Allow only publisher-verified apps and review scopes quarterly. Restrict application assignments to users who actually need them.

Apply Conditional Access for admin changes including app registration, security information updates, and token lifetime modifications.

Block legacy and less-secure authentication across mail and file services. Enforce modern OAuth throughout the environment. Review and revoke stale OAuth grants on a regular cadence.

4. Endpoint Protection and Patching

Deploy EDR or XDR across all workstations, servers, and supported mobile devices without exception. Partial EDR coverage is treated the same as no EDR coverage by most underwriters because the gap is where attackers go.

Define and enforce patch SLAs: critical vulnerabilities patched within days, remote access tooling and known-exploited issues within hours when active exploitation is observed. Track your median and 95th percentile days-to-remediation and bring those numbers to renewal.

Use CIS Controls Implementation Group 1 and 2 as a baseline for asset inventory, secure configuration, vulnerability management, and malware defenses. Implement application control for admin tools and scripts.

5. Backups That Survive Ransomware

Follow the 3-2-1-1-0 principle: three copies of data, two different media types, one offsite, one immutable or air-gapped, zero untested restores.

Use object lock or WORM storage features where available to enforce immutability. Test restores quarterly against real recovery time and recovery point objectives. Document the results. A backup configuration that has never been tested is treated as a gap by underwriters, and rightly so.

6. Logging and Detection That Responders Can Use

Centralize and retain the logs that tell the story when an incident occurs. The minimum set:

  • Identity logs: authentication events, MFA changes, privilege changes
  • Email logs: delivery, impersonation detections, rule and forwarding changes
  • Endpoint and EDR telemetry
  • RMM and admin action logs: script runs, tool deployment, session starts and ends
  • Firewall and VPN or Zero-Trust access logs
  • SaaS admin and audit logs: app-consent changes, mailbox permissions, file-sharing policy changes

Target approximately 12 months of searchable retention where feasible. At minimum, meet your regulatory obligations and your incident response partner’s requirements. Alert on consent grants, privilege changes, mailbox rule modifications, anomalous sign-ins, and new remote-access tools appearing in the environment.

7. Internet-Exposed Attack Surface

Eliminate exposed RDP and management interfaces entirely. Put admin portals and sensitive applications behind VPN or Zero-Trust with phishing-resistant MFA and device compliance checks.

Scan your public footprint regularly. Alert on new services appearing in your external attack surface and certificate changes. Enforce strong DNS, TLS, and email authentication including SPF, DKIM, and DMARC at enforcement level.

Quick Audit Checklist

Use this with your PSA or RMM to verify current state:

  • Phishing-resistant MFA enforced for admins, remote access, email, and RMM
  • PIM or JIT configured with zero standing global admins
  • RMM hardened: install controls, SSO plus MFA, no Domain Controllers, approvals, alerting or session recording
  • App consent locked down and legacy authentication disabled
  • EDR or XDR on all endpoints and servers with patch SLAs defined and met
  • Backups follow 3-2-1-1-0 with quarterly restore tests documented
  • Central logging with approximately 12 months retention and alerting on identity and RMM events
  • No exposed RDP or admin portals with regular external scans in place

Cyber Insurance Alignment

Underwriters are increasingly asking for evidence of the controls above before binding or to remove sublimits. Maintain an evidence pack with current MFA and Conditional Access policy screenshots, PIM configuration exports, app-consent review records, backup configurations and restore test results, and sample alert policies.

Strong documentation shortens the underwriting process and strengthens your negotiating position at renewal. For the full underwriting controls framework, see the Cyber Insurance Requirements Checklist for SMBs and MSPs.

SeedPod Cyber specializes in cyber and Tech E&O coverage for businesses of all sizes.  Contact us for a coverage review or quote.

MSP & Broker Resources
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.