MikroTik Winbox Security
MikroTik Winbox Security
MikroTik's Winbox application is one of the best router management interfaces I've ever worked with. It's my go-to interface over Webfig any day, though lots of what I do happens at the command line. For those of us using Winbox day-to-day to manage client devices, WISP infrastructure, etc there are some security precautions that need to be taken. If we aren't careful how we use Winbox it could add risk to our network. If managed poorly it can compromise router and switch credentials.
First, we need to make sure that Winbox is updated. Second, we need to understand how saved credentials can be used smartly. Third, we need to implement best practices for managing credentials in Winbox overall.
It's a best practice all-around to run the latest stable, supported software. This is true for RouterOS, and it's also true for Winbox. MikroTik has added a built-in updater inside Winbox so checking for updates regularly is easy. Open Winbox, then click Tools and Check for Updates:
I do this about once per month, just in case a new version has been released that patches security holes or adds new functionality.
We can store device connection profiles in Winbox to make reconnecting to them easy. Unfortunately this can lead to some bad credential management practices. Entering the IP address or hostname, login, and password then clicking the Add/Set button saves our credentials:
Anyone who walks up to the computer with Winbox open can double-click a managed host entry and it will log them in. We can set a Master Password that requires a password before the managed host entries are shown. Simply click Set Master Password and enter a password twice:
Now when Winbox opens it will first prompt for the master password before giving us access to the managed host credentials:
Of course, if the computer running Winbox is left unattended after the master password was entered it doesn't do us any good, so locking the computer is a must. After saving a bunch of managed host profiles many MikroTik administrators export the list for backup purposes. I've seen some MSPs that manage MikroTik devices for their customers share the exported file among their employees. While this might be convenient it opens a can of security worms for customers that have to be PCI DSS or HIPAA compliant. Exporting our managed host credentials can be done by clicking Tools then Export:
The exported .WBX file has all our login information, making it easy to restore the saved entries in Winbox if they are lost. This can be dangerous though, because the file that's exported is in plaintext. Exporting the file and opening it in a more advanced text editor like Notepad++ shows our IP addresses or hostnames, usernames, and passwords:
By unchecking the Keep Password box we can prevent Winbox from saving or exporting the password for an individual managed host entry. Using Tools - Export Without Passwords doesn't export passwords for any managed host, so it's a more secure option. Of course it will still export usernames, which could allow an attacker to kick-off a password guessing attack.
I recommend that these best practices be followed when storing credentials in Winbox:
- On computers with credentials stored in Winbox lock the screen when stepping away.
- Set a Master Password that must be entered before accessing the managed host entries.
- Don't include passwords when exporting the managed host list.
- Don't share the .WBX export file with others.
- If you must have passwords in the exported .WBX file then encrypt it with a robust key.
- For traveling laptops and tablets with credentials stored in Winbox encrypt the entire drive in case of theft.