WHITE PAPER: ENTERPRISE SECURITY. Secure Remote Control for IT Support Organizations

Transcription

1 WHITE PAPER: ENTERPRISE SECURITY Secure Remote Control for IT Support Organizations

2

3 White Paper: Enterprise Security Secure Remote Control for IT Support Organizations Contents Executive summary Security concerns limit acceptance of remote control software Remote control software as a help desk tool Financial benefits of remote control software Security concerns with remote control software Security requirements of remote control software Authentication Authorization and access control Perimeter and data transfer security Administration Symantec pcanywhere 12.0 provides secure remote control A wide range of existing security features prevent unauthorized connections Encryption tools protect data transmission New security features Centralized administration tools identify security risks Reduced open firewall ports Expanded cross-platform support Conclusion

4 Executive summary Information technology (IT) professionals today are expected to support a growing number of users, many working remotely, who are using increasingly complex hardware and software systems. At the same time, IT budgets are being curtailed. Support organizations need a way of effectively handling the increased workload. Remote control software, which allows a help desk technician to assume control of a user s PC or an unattended server over a network, has proven to be a cost-effective way of providing remote support. With remote control software, call time is reduced and first-call resolution is improved, allowing the help desk to handle more calls with the same number of, or even fewer, help desk technicians. Upgrades, conversions, and installations can be handled uniformly throughout the organization. And timely, accurate problem resolution results in greater customer satisfaction with the support process. While the benefits are significant, some organizations have expressed concern that remote control software could expose data on individual PCs or the corporate network to unauthorized use. Addressing security requirements in the areas of authentication, authorization and access control, perimeter and data transfer security, and administration could allay these concerns. This paper examines how remote control products provide a cost-effective help desk tool and defines necessary security requirements for these products. The paper then outlines the features of Symantec pcanywhere 12.0, Symantec s remote control solution. Symantec pcanywhere 12.0 is the world s leading remote control solution with powerful file transfer and remote management capabilities that allow IT staff to remotely manage Windows as well as Linux and Mac systems. Both platforms can also be managed from a Java -enabled Web browser. pcanywhere Mobile also enables access to a pcanywhere host from a Microsoft Pocket PC over any TCP/IP connection, wired or wireless. The bandwidth auto-detect feature automatically helps to optimize the performance of pcanywhere over all types of connections. Microsoft Windows Preinstallation Environment is also supported. 4

5 Security concerns limit acceptance of remote control software IT professionals today are faced with the challenge of supporting more users, while reducing support costs. The increasing complexity of PC software, hardware, and networks, as well as the growing number of users accessing the network from remote locations, complicates these requirements. Value-Added Resellers (VARs) also need a way of delivering support services to their customers, while reducing travel expenses. As a solution to these needs, remote control software has evolved from a remote access product into a cost-effective support tool that simplifies troubleshooting and problem resolution. Examining this solution, this section addresses the following: Remote control software as a help desk tool The financial benefits of remote control software Security concerns with remote control software Remote control software as a help desk tool Help desk technicians typically attempt to troubleshoot and resolve support problems over the telephone. Because directions must be given and received verbally, this can be a time-consuming and frustrating experience for both users and technicians. Users eagerly seek resolution of the problem and consider any time they spend on the phone troubleshooting as time away from important tasks. Help desk technicians may not clearly understand problems as described by nontechnical users. Complicating the process, with the flexibility of today s desktop software, users configure their screens to match their personal work style. Hence, technicians and users may not be viewing the same screens while discussing the problem. Often a single problem requires multiple calls or, when a problem cannot be resolved over the phone, a technician may be dispatched to the user s site a time-consuming and expensive solution even when the user is down the hall. Remote control software removes the user from the support transaction by enabling the technician to assume control of a user s PC over the network. The technician works with the PC as if it was local and sees directly what is happening on the user s computer screen. The corresponding boost in support productivity means that each help desk technician can handle a higher volume of calls. Staffing requirements may be reduced, and user satisfaction with the help desk function increases. Remote control software also facilitates remote training, in which users learn by example. 5

6 Like the internal help desks, VARs and other organizations that provide customer support benefit from remote control software. For example, a VAR may include a copy of Symantec pcanywhere along with each copy of its accounting solution. When a customer reports a problem, the VAR can provide quality telephone support without the need to dispatch a service representative to the customer s site. This speeds problem resolution and improves the customer satisfaction with the support process. It also reduces travel expenses and allows VARs to concentrate on their core business. At larger VARs, the sales organization can spend more time selling, and the technical organization can spend more time developing and enhancing products. At smaller VARs, where the sales organization and technical organization may be a single person, a shorter support call directly increases the time that the VAR can spend developing new business. Remote control software is also used to diagnose and solve problems on servers. For example, banks and other financial institutions need 24-hour access to their databases to rapidly resolve problems that may arise. In addition to problem troubleshooting and resolution, remote control software allows help desk organizations and VARs to efficiently install, configure, and upgrade software for local and remote PCs, as well as servers. This facilitates creation and maintenance of a standard computing environment, which in turn is easier to support. The Help Desk Institute identified upgrades, conversions, and installations as one of the top three reasons for increased help desk calls and call length. 1 The other two reasons are additional customers and newer, more complex technologies. Due to the scalability of remote control software, this support solution is appropriate for any size corporation, as well as VARs with local, regional, or national distribution. In each case, the organization benefits from avoiding the hiring of dedicated support personnel at a remote location, or by not incurring the travel expense of dispatching a support technician to the remote site. Financial benefits of remote control software According to International Data Corporation (IDC), the worldwide market for remote control/remote access software will grow from $284.2 million in 2004 to $312 million in Enhanced security features and support for more platforms such as mobile devices, Mac OS X, and Linux will help sustain this large market. 2 The benefits of remote control software can be significant, lowering annual help desk costs by 6 to 13 percent. Cost savings result from reducing the size of help desk support staff, solving problems more rapidly and with fewer repeat calls. For example, Forrester Research, Inc., found that an organization with 20,000 end users and a $2.9 million help desk budget could save approximately $338,000 through the use of desktop remote control software. 3 Savings are based 1 Doherty, Sean, Helpdesk Salvation, Network Computing, April 2, Drake, Stephen D, Worldwide Remote Control Software , Forecast and 2004 Vendor Shares, IDC Report #33763, August High-impact measures for improving help desk efficiency, eweek, February 17,

7 on improving first-call resolution by 7 percent and cutting five help desk technicians. The scenario assumes an annual salary of $59,000 per call-taker, $81,000 per desk-side technician, and $68,000 per network administrator. Security concerns with remote control software Although remote control software provides a powerful tool for help desk support, it also raises security issues. Without proper security features, remote access software could expose data on individual PCs and the corporate network to unauthorized use, potentially disclosing trade secrets, confidential personnel records, and financial information. As the number of remote users grows, maintaining security becomes even more of a challenge. More and more employees are now working from home on a regular basis, in addition to branch office workers and traveling employees who also require remote help desk support. 4 Security requirements of remote control software To maintain the security of an organization s data and network resources, remote control software should support the existing network security infrastructure, including both networkand desktop-based security. Integrating with the security system already in place leverages the company s investment, reduces the cost of managing security for remote control sessions, and simplifies management. Most importantly, such integration enables enterprises to confidently deploy and realize the benefits of remote control software without concerns of adverse security impacts. Remote control software should support security requirements in the following areas: Authentication Authorization and access control Perimeter and data transfer security Administration Authentication Although no authentication technique is foolproof, requiring the use of passwords or other forms of authentication before a remote session commences discourages unauthorized access. In addition, such authentication approaches prevent users from inadvertently launching an unprotected host session. In evaluating a remote control product, it is important to establish that the product supports authentication methods that the organization is already using. Support of multiple, standard authentication methods allows the IT staff to leverage existing user name/password lists. 4 Wilde, Candee, Telework Programs Speed Up: High-speed access technologies like cable modems and DSL give telecommuting a lift, Internet Week, April 17,

8 Authorization and access control With remote control software, authorization or access control involves remote access by a user to a PC, remote access of a shared directory, or help desk technician access to the PCs of all supported users. Remote control software should be able to limit access to computers within a specific subnet or to specific TCP/IP addresses. Another effective way to block unauthorized access is by embedding a serialization code into the host and remote portions of the remote control product. For example, a Symantec pcanywhere host that has been serialized will only accept connections from a remote computer with the same serialization number. If the serialization number does not exist, the connection cannot be established. A company can utilize the same serialization code throughout their organization to effectively prevent someone from connecting with a standard retail version of the remote control software. In support situations, the host user should be able to confirm or deny access. When using a modem connection, callback capabilities, in which the host disconnects the call and then calls the remote back on a pre-entered phone number, help to prevent unauthorized access. In addition to protecting workstations and servers from remote access, the system should include desktop security features such as monitor and keyboard locking that protect an unattended host or server during remote control sessions. Disabling the host screen ensures privacy during remote control sessions in which a user is not present. The help desk technician uses the remote to connect to a host on the end user s computer. This allows the technician to assume control of the host computer and solve the problem. pcanywhere Remote Data Encryption pcanywhere encoding option Symmetric or asymmetric (public key) RC4 or AES algorithms (up to 256-bit) FIPS validated AES encryption module Default login encryption pcanywhere Host Integrity checking 13 authentication methods Serialization Specified IP address range Host address blocking Time-of-day restrictions View-only option Figure 1. Symantec pcanywhere offers extensive security options and features. Multiple encryption options facilitate protection of the data stream between host and remote. Target elimination of unauthorized connections using serialzation, IP screening and 13 different authentication methods. Integrity checking can also be used to prevent tampering with the pcanywhere host. 8

9 Perimeter and data transfer security Remote control software should support virtual private network (VPN) technology to permit secure Internet connections through a firewall, as well as over a corporate intranet. This allows organizations to provide remote access without jeopardizing security. The VPN client should operate transparently, prompting for authentication credentials whenever the user attempts to penetrate a firewall. The system should be able to disallow telephone connections and require that remote control sessions occur only through a direct network connection. Securing the data stream in transit during remote control sessions is as important as preventing unauthorized access. The data control software should support encryption services such as the Microsoft Crypto API (application program interface) and public key encryption to prevent eavesdroppers or hackers from intercepting and/or altering data during transmission. Administration If the remote control software integrates with existing authentication systems, the administrator maximizes efficiency and reduces costs by avoiding creation and management of a separate database of user IDs and passwords. For example, if an employee leaves the company, the administrator can delete that person s user ID from the central user database, preventing that user from accessing network resources. Integration of the remote control software with enterprise network management solutions such as Microsoft Systems Management Server, Tivoli NetView, and C A is often desirable. Integrated messaging allows the administrator to manage the remote support solution from the same console used for managing other network resources and provides rapid notification of potential security breaches. Since thorough alerting, logging, and reporting are essential to a secure environment, the remote control software should generate an audit log of all remote control transactions, including disallowed attempts at connection. This enables the administrator to monitor activity and detect unauthorized attempts to access systems. To prevent hackers from altering the log to hide their activities, it is recommended that the log be secured. In addition, generating an SNMP alert whenever a number of unsuccessful attempts to connect to a host PC are detected permits real-time monitoring of suspicious activity from a network management console. Enabling the IT administrator to lock in the security settings of the client remote control software ensures consistency and protects users from inadvertently exposing their systems to unauthorized access. This type of feature also prevents unauthorized users from reconfiguring the software for their own purposes. Remote control software with integrity checking features identifies 9

10 changes that have been made to the binary files since the original installation. If changes are detected, indicating potential rogue installations, the product will not function. Once the binary files have been tampered with, pcanywhere must be reinstalled to resume full function. Symantec pcanywhere offers multiple layers of configurable world-class security options and product features. To protect the data stream between the host and remote, pcanywhere supports symmetric and asymmetric encryption using the RC4 and AES encryption algorithms. In addition, pcanywhere encoding is offered for lower bandwidth connections. Unauthorized connections are eliminated with serialization, IP screening, and 13 different authentication methods. Integrity checking can also be used to prevent tampering with the pcanywhere host. Symantec pcanywhere 12.0 provides secure remote control Technicians can use Symantec pcanywhere to securely diagnose and solve problems on remote servers, desktop computers, and mobile laptop computers all without leaving the help desk. The latest version, Symantec pcanywhere 12.0, includes significant security features in the following areas: Mandatory authentication through 13 supported methods Support for Windows policy Robust security features that prevent unauthorized connections Encryption up to AES 256-bit that protects data transmission FIPS Level 1 validation for the Symantec Cryptographic Module Centralized administration tools to identify security risks and improve efficiency Access restriction by date and time of day Keyboard and mouse control restrictions 10

11 A wide range of existing security features prevent unauthorized connections Symantec pcanywhere requires an authentication method and mandatory password for all host sessions. This prevents users from inadvertently launching an unprotected host session. Symantec pcanywhere 12.0 supports the following 13 authentication methods for Microsoft, Novell, and Web-based environments: RSA SecurID pcanywhere Authentication Windows Authentication NT Domain Active Directory Service (ADS) Novell Directory Services (NDS) Novell Bindery Services Microsoft Lightweight Directory Access Protocol (LDAP) Novell LDAP Netscape LDAP FTP HTTP HTTPS RSA SecurID support provides a two-factor authentication process. This model presents the legitimate user with a security code that changes every 60 seconds. This code is displayed on a key fob/token that the user carries. This code must be combined with a user-remembered PIN to complete the authentication. The RSA SecurID solution may be of particular interest to the federal government and financial industry. For Windows policy support, by leveraging Windows policy management, administrators can control which pcanywhere components the end user can modify and access. By limiting the capabilities that end users have, administrators are better equipped to enforce their organization s security policies. One of the best ways to ensure security when remote control software is installed is to restrict connections from outside the organization. Symantec pcanywhere provides multiple ways to accomplish this objective: (1) limitation of connections to a specific TCP/IP address range and (2) serialization. 11

12 TCP/IP address range: Symantec pcanywhere hosts can be configured to accept only TCP/IP connections that are within a specified subnet or limited to specific TCP/IP addresses, enabling restriction of connections to employees. Serialization: IT professionals can embed a security code into the Symantec pcanywhere host and remote object executables. This security code must be present on both ends before a connection can be established. By limiting connections to their serialized copies of Symantec pcanywhere, the organization effectively prevents outside access through use of an unauthorized copy of Symantec pcanywhere. In addition, a number of existing security features in Symantec pcanywhere 12.0 prevent unauthorized users from connecting to or abusing connections to the host. Callback security for dial-up connections: In a typical Symantec pcanywhere session, the remote PC connects to the host, and the session begins. When callback is enabled, the remote PC calls the host, but the host drops the connection before returning the call at a specified phone number. Prompt to confirm connection: This security feature prompts the host to permit or reject the connection with the remote caller. When this feature is enabled, users are aware whenever a remote connection is being established. Login restrictions: Symantec pcanywhere allows host users to limit the number of times a remote user can attempt to log in during a single session. In addition, hosts can limit the amount of time permitted for a remote user to complete a login. Restrict connections after abnormal end of session: Host users can prevent remote users from reconnecting to the host if the session is interrupted abnormally. Host Address Blocking makes it possible (via user option) to block a certain incoming IP address for a certain length of time after a predetermined number of failed connection attempts. Users are offered a configurable number of attempts and user-configurable time period for the address to be blocked. This is enabled by default. When the Secure Workstation feature is enabled, the host machine will automatically lock (or log off) upon connection, regardless of the user's credentials. If this feature is not enabled, if the logged-in user has a higher level of privileges than the connecting user (e.g., Admin vs. Guest), the host will deny the connection. 12

13 Encryption tools protect data transmission Symantec pcanywhere 12.0 protects the data stream between the host and remote through its support of symmetric and asymmetric encryption using RC4 (up to 128-bit cipher strength) and AES encryption (with all available cipher strengths: 128-bit, 192-bit, and 256-bit). In addition, pcanywhere encoding is offered for lower bandwidth connections. The software s encryption wizard helps users set up public key encryption. Default Login Encryption allows encryption of login information (handshake) by default. The RC4 algorithm is used for this encryption, to ensure backwards compatibility with legacy pcanywhere hosts. AES (or Rijndael), introduced as a National Institute of Standards and Technology (NIST) standard in November 2001, is one of only four symmetric key encryption algorithms approved against the NIST FIPS standard. 5 It is intended to serve as a more secure and more current alternative than its preceding DES and 3DES algorithm standards. AES is exponentially stronger than DES and 3DES, and is generally considered to be faster and less resource-intensive as well. AES has been set as the standard across all pcanywhere 12.0 product components, and provides data encryption at the 128-bit, 192-bit, or 256-bit cipher strengths. The Symantec Cryptographic Module is used in Symantec pcanywhere 12.0 to provide the AES cryptography with its communications encryption. The Symantec Cryptographic Module has received Federal Information Processing Standard (FIPS) 140-2, Level 1 validation from the National Institute of Standards and Technology (NIST). FIPS validation allows products that include the Symantec Cryptographic Module to be deployed by federal agencies, including contracted service providers, and other organizations that require stringent security standards to protect sensitive information. FIPS is also required by federal agencies in Canada, is recognized in Europe and Australia, and is being adopted by many financial institutions worldwide. New security features In order to further safeguard connections to a Symantec pcanywhere host, version 12.0 has added the following new security features: Access restrictions by date and time of day Keyboard and mouse control restrictions 5 National Institute of Standards & Technology, Annex A: Approved Security Functions for FIPS PUB 140-2, Security Requirements for Cryptographic Modules, September

14 Access restrictions by date and time of day let administrators block a user or group of users from connecting to a host computer on certain days or times. This lets administrators control the amount of time that a host computer is available for connections. For example, administrators can block remote users from connecting to a host at certain times after hours in accordance with a corporate security policy. Keyboard and mouse control restrictions let administrators restrict the control of the keyboard and mouse for a specific user or group of users. It provides the option to restrict use of the keyboard and mouse to the host or to restrict usage at the remote computer. The setting can apply to all host sessions for specific callers or can be limited to a specific session. Centralized administration tools identify security risks Symantec pcanywhere 12.0 features several tools that help administrators identify potential security risks. Host Assessment Tool: This enables administrators to visually diagnose the configuration of computer systems and to assess the level of security for each Symantec pcanywhere host s connection. The tool also provides guidance on how to improve security weaknesses. Integrity checking: Integrity checking is a feature in Symantec pcanywhere 12.0 that, when enabled, ensures that Symantec pcanywhere installations remain unchanged. This feature verifies that the host and remote objects, DLL files, executables, and registry settings have not been modified since the original installation. If changes are detected to these files, Symantec pcanywhere will not launch and must be reinstalled to resume full function. For security and auditing purposes, Symantec pcanywhere 12.0 includes support for both local and centralized logging of all files and applications that are accessed on the host during a remote control session. Symantec pcanywhere also logs all remote control activity such as login attempts, file transfers, and session start/end times. Events can be logged to the Symantec pcanywhere log, an NT Event Log, or an SNMP monitor. Screen blanking and keyboard locking: Remote administrators have the option to blank the host screen during a session, as well as lock out the host keyboard and mouse, so that sensitive information is not inadvertently displayed or made accessible to unauthorized persons. 14

15 Reduced open firewall ports New features and add-on products to Symantec pcanywhere 12.0 strengthen an organization s security efforts by reducing the number of firewall ports that an organization must open to establish connections between remote machines and managed hosts. The new features and products include the following: Symantec pcanywhere Access Server Symantec pcanywhere Gateway in Symantec pcanywhere 12.0 Host Invitation feature in Symantec pcanywhere 12.0 Organizations leverage firewalls, DHCP routers, and NAT devices to secure the perimeters of their network infrastructure. However, these security measures can make it difficult for authorized users on remote machines to discover and connect to the hosts that they need to manage. Firewalls can block both discovery and connection attempts by remote machines to managed hosts. NAT devices hide the managed host s IP address, making discovery difficult. Symantec pcanywhere 12.0 can take advantage of Symantec pcanywhere Access Server to resolve discovery and connectivity problems associated with establishing remote control sessions with managed hosts in a manner that lets the user minimize the number of open ports on the firewall and NAT devices. Symantec pcanywhere Access Server overcomes connectivity problems by establishing a reverse connection with managed hosts. Instead of the remote machine attempting to discover the host machine, the host machine is configured with information on how to discover the Symantec pcanywhere Access Server. When the host machine finds the access server, it registers itself with the access server, enabling the access server to mediate a connection between a remote computer and a managed host without the need to open additional ports in the firewall or NAT devices of the network where the host machines reside. To connect to the access server, remote users must supply proper authentication credentials. Additionally, remote users must also provide the hostspecific authentication credentials needed to connect to the host machine. When the Symantec pcanywhere Gateway service is used, it can automatically discover all the host machines running on its local subnet. It can also be configured to identify host machines running on other specified subnets. By using the Symantec pcanywhere Gateway, all connection traffic flowing toward host machines is routed first through the gateway, minimizing the number of ports that need to be opened in an organization s firewall and NAT devices. Access to the gateway is password-protected. Additionally, to further increase security, the gateway computer can be configured so that it is hidden from network search results. 15

16 The Host Invitation feature in Symantec pcanywhere 12.0 also facilitates an organization s ability to establish remote sessions securely. As with the Symantec pcanywhere Access Server, host invitations rely on a reverse connection initiated by a host machine. To implement a host invitation, the user at the remote machine would use the Symantec pcanywhere Manager to create a host invitation that contains the remote s connection settings. The remote user could send the host invitation to the host user via or on a physical medium. The host user would then use that host invitation to initiate the remote session with the remote user. When the remote user accepts the invitation and supplies the proper authentication credentials, the connection can be established, all without the need to open additional ports in the firewall or NAT devices of the network where the host machine resides. Expanded cross-platform support The cross-platform capability in Symantec pcanywhere 12.0 has been expanded to support Mac OS X. With this addition, remote sessions can now be initiated on computers running Windows, Windows Mobile, Linux, and Mac OS. Systems running Windows, Windows Embedded, Linux, or Mac OS can be managed hosts. This cross-platform capability gives administrators the flexibility to remotely control and manage different types of host computers from the remote machines of their choice. Conclusion Remote control software provides internal help desks and VAR support organizations with a cost-effective support tool. By gaining direct access to a user s PC, desktop technicians and other support personnel can quickly diagnose and resolve problems and upgrade remote desktops without leaving their desks. Despite the benefits in terms of increased productivity and reduced support costs for overworked IT departments, some organizations have been reluctant to install remote control products because of the potential security risks. Symantec pcanywhere 12.0 focuses on these security issues and includes new features that help prevent unauthorized access and protect file transfers. With Symantec pcanywhere 12.0, IT organizations can confidently realize the promise of remote control software today. 16

17

18 About Symantec Symantec is the world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. More information is available at For specific country offices and contact numbers, please visit our Web site. For product information in the U.S., call toll-free 1 (800) Symantec Corporation World Headquarters Stevens Creek Boulevard Cupertino, CA USA +1 (408) (800) Copyright 2006 Symantec Corporation. All rights reserved. Symantec, the Symantec logo, and pcanywhere are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Microsoft, Windows, and Windows Mobile are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Java is a trademark or registered trademark of Sun Microsystems, Inc., in the U.S. or other countries. Other names may be trademarks of their respective owners. 05/