Security White Paper The Goverlan Solution



Similar documents
Goverlan Remote Control

Remote Access Platform. Architecture and Security Overview

WebEx Remote Access White Paper. The CBORD Group, Inc.

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Installation and Administration Guide

Networking Best Practices Guide. Version 6.5

2X SecureRemoteDesktop. Version 1.1

introducing The BlackBerry Collaboration Service

System Management. What are my options for deploying System Management on remote computers?

Kaseya Server Instal ation User Guide June 6, 2008

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

White Paper. Software version: 5.0

Citrix Access Gateway Plug-in for Windows User Guide

Remote Administration

Guidance Regarding Skype and Other P2P VoIP Solutions

Nexio Connectus with Nexio G-Scribe

RSA Authentication Agent 7.1 for Microsoft Windows Installation and Administration Guide

NETWRIX EVENT LOG MANAGER

Windows Remote Access

Quick Start Guide for Parallels Virtuozzo

Web Plus Security Features and Recommendations

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

Configuring and Monitoring SiteMinder Policy Servers

Quick Install Guide - Safe AutoLogon For First-time Users - Installing and Running the Software. Published: February 2013 Software version: 5.

How To Secure An Rsa Authentication Agent

Integrating LANGuardian with Active Directory

Thick Client Application Security

Remote Support Jumpoint Guide: Unattended Access to Computers in a Network 3. Requirements and Considerations to Install a Jumpoint 4.

Netop Remote Control Security Server

Enterprise Self Service Quick start Guide

Setting Up a Unisphere Management Station for the VNX Series P/N Revision A01 January 5, 2010

BlackShield ID Agent for Remote Web Workplace

Symantec AntiVirus Corporate Edition Patch Update

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

Evaluating the Balabit Shell Control Box

Pearl Echo Installation Checklist

A Guide to New Features in Propalms OneGate 4.0

Monitoring DoubleTake Availability

Internet-based remote support for help desks. Product white paper

NETWRIX IDENTITY MANAGEMENT SUITE

INSTALLATION GUIDE. AXIS Camera Station

VERITAS Backup Exec TM 10.0 for Windows Servers

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

Installation Guide: Delta Module Manager Launcher

Navigating Endpoint Encryption Technologies

PATROL Console Server and RTserver Getting Started

Remote Access Clients for Windows

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

The Desktop Sharing Handbook. Brad Hards

FireSIGHT User Agent Configuration Guide

Unicenter Remote Control r11

Endpoint Security Console. Version 3.0 User Guide

2X ApplicationServer & LoadBalancer Manual

for Networks Installation Guide for the application on the server July 2014 (GUIDE 2) Lucid Rapid Version 6.05-N and later

OneStop Reporting 3.7 Installation Guide. Updated:

How To - Implement Clientless Single Sign On Authentication with Active Directory

Citrix XenApp Manager 1.0. Administrator s Guide. For Windows 8/RT. Published 10 December Edition 1.0.1

ManageEngine Desktop Central Training

Important Notes for WinConnect Server ES Software Installation:

Enterprise Manager. Version 6.2. Installation Guide

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

MIGRATIONWIZ SECURITY OVERVIEW

2 Installing Privileged User Manager 2.3

DameWare Server. Administrator Guide

Global Knowledge MEA Remote Labs. Remote Lab Access Procedure

Installing and Configuring vcenter Multi-Hypervisor Manager

DriveLock and Windows 7

CITRIX 1Y0-A14 EXAM QUESTIONS & ANSWERS

ObserveIT Service Desk Integration Guide

HP A-IMC Firewall Manager

Introduction. PCI DSS Overview

Monitoring MSDynamix CRM 2011

Biznet GIO Cloud Connecting VM via Windows Remote Desktop

SECURELINK.COM ENTERPRISE REMOTE SUPPORT NETWORK

Remote Access and Control of the. Programmer/Controller. Version 1.0 9/07/05

Active Directory Manager Pro Quick start Guide

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

IBM Aspera Add-in for Microsoft Outlook 1.3.2

NETWORK AND INTERNET SECURITY POLICY STATEMENT

Internet-based remote support for help desks

BMC Performance Manager Windows Security White Paper DCOM / WMI

Table of Contents. FleetSoft Installation Guide

Getting Started with ESXi Embedded

Management of Hardware Passwords in Think PCs.

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Enterprise Knowledge Platform

Maximize the Productivity of Your Help Desk With Proxy Networks Remote Support Software

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Implementation Guide. Version 10

RSA Authentication Manager 7.1 Basic Exercises

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

visionapp Remote Desktop 2010 (vrd 2010)

Aqua Accelerated Protocol (AAP) For Mac User Manual

Remote Management Reference

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

ShadowLink 2. Overview. May 4, ONLINE SUPPORT emdat.com/ticket/ PHONE SUPPORT (608) ext. 1

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Transcription:

Security White Paper The Goverlan Solution The Goverlan Administration Suite (which includes the following modules: Administration & Diagnostics, Remote Control, Scope Actions, and WMIX) is a powerful remote administration solution. Goverlan as a whole is designed to answer the highest security requirements of any corporate network. The security model and architecture implemented by Goverlan along with its encryption, authentication, and authorization mechanisms are addressed in this document. WWW.GOVERLAN.COM

Contents Overview of Goverlan 3 Stable, Secure & Self-Managed Agent 3 Stable Encrypted & Secure Self-Managed Understanding how Goverlan authorizes a transaction 4 Alternate Credentials Securing Remote Control Access 5 Auditing Remote Control Activities Centralized & Secured Settings Distribution & Auditing 6 Ad-hoc security behavior Centrally Manage Behavior using a GPO Centrally & Securely Manage Behavior and Auditing using the Goverlan Central Server Conclusion 7 Appendix 8 List of Figures 2

Overview of Goverlan Goverlan is a desktop software installed on each operator s machine. Using Goverlan, the operator can perform a comprehensive set of administration tasks on remote machines as well as in Active Directory. It does so by communicating with the Goverlan Service Agent that is installed on each remote machine (this process can be automated by Goverlan). The Goverlan solution allows an operator to perform the following duties with total security: z Perform Active Directory account management. z Perform administrative duties on remote computers silently and without end-user interaction. z Take over a remote computer s screen, keyboard and mouse. Stable, Secure & Self-Managed Agent Goverlan requires an agent on the remote machines in order to be able to perform remote administration tasks. Any new installation of software on a computer is always of great concern to IT administrators as: z It introduces a new unknown that may affect system stability. z A service agent can be corrupted or made unavailable by the end users, rendering remote administration unavailable. z It introduces a new entry point on each remote machine which can be used to compromise a system. These concerns have been design priorities since the inception and ongoing development of Goverlan Agents. Since the production release in 1999, the Goverlan Agents have been installed on computers and business critical servers within large infrastructures with no report of system degradation or any other issues. We realize that we offer a solution to ease IT management tasks and not to burden them by introducing instabilities or security breaches. Stable The Goverlan agents are less than 5MB in size with no external dependencies (for instance the.net framework). The same agent supports all OS(s) from Windows XP to the latest Microsoft operating system (32 & 64 bit architectures). The Goverlan Service (GovSRV8) spends 99% of its time in idle state waiting for requests from a Goverlan operator. Every 30 seconds, it performs a self-cleaning to release unused memory in order to keep a very low footprint. Encrypted & Secure All communications between the Goverlan management console and the Goverlan agents take place via a single TCP port (by default, port 21158) allowing for easy firewall configuration. There is no middle 3

PROCCESSING AUTHENTICATION COMPRESSION ENCRYPTION web-service tier involved between the administrator and the client. To ensure a secure connection and protect against malicious hacking, our communication protocol encrypts all data transmitted between the client and the administrator at the lowest level. Goverlan uses AES 256-bit or RC4 128-bit encryption where supported. Once the data frame is decrypted on the client side, the frame is then securely authenticated using Microsoft SSPI (Security Service Provider Interface). Microsoft s SSPI technology allows clients and servers to establish and maintain a secure channel, provide confidentiality, integrity, and authentication. Using SSPI, Goverlan guarantees the identification of the administrator to the client and impersonates the administrator s credentials locally to authorize the request. Self-Managed The Goverlan Agents are self-managed. You do not need to manually pre-install them on your machines in order to use Goverlan. Installation, maintenance, and removal of agents are automatically performed by Goverlan remotely *. In the event an end user tampers with the agents (service stopped or disabled, files deleted), Goverlan automatically re-installs and initializes the agents, and the administrator can continue with their work. Understanding how Goverlan authorizes a transaction An important aspect of the Goverlan security model is that it uses the native Windows / Active Directory authentication and privileges. No proprietary authentication takes place while executing a task in Active Directory or on a remote machine. Every transaction is performed under the credentials of the Goverlan user (or specified alternate credentials) and is approved/rejected and audited by the native Windows security layer. If a user does not hold the necessary privileges to perform an action, Goverlan simply returns an Access Is Denied message. Essentially, Goverlan does not provide its user with any more privileges than the ones allocated to them in Active Directory. z The installation, update, or removal of the Goverlan agents always requires local administrative privileges on a client machine. z Initiating a remote control session requires local administrative privileges on the remote machine by default (this can be configured). 4 * Remote installation and maintenance of the agents require local administrative privileges and access to administrative shares. Goverlan s authentication and encryption methods apply to communication via the Goverlan protocol only. Goverlan RC supports using alternative connection methods such as Intel vpro, MSRDP, VNC, and Telnet/SSH. Authentication and encryption of these protocols fall outside the scope of the Goverlan security model.

z Active Directory actions are authenticated and approved using the Goverlan operator s native account privileges. z Performing management tasks on a remote machine requires local administrative privileges. Alternate Credentials In the event a Goverlan operator doesn t hold the required privileges to perform an action, alternate credentials can be used. Goverlan can save the provided credentials in an encrypted local database. Alternate credentials can be configured for individual machines, entire IP ranges, or AD domains. Credentials can also be stored for any remote control protocol that Goverlan supports, such as Intel vpro, Telnet/SSH, VNC, and RDP. Securing Remote Control Access Once the Goverlan Agents are installed on your machines, Goverlan operators will be able to initiate remote control sessions. By default, an operator must hold local administrative privileges on a remote machine in order to remote control it. The behavior of Goverlan on the client machine (remote control operating modes) can be configured as follows: z The remote control session is automatically approved, and a visual notification banner is displayed on the client machine. This notification banner provides information about the administrator and allows the end-user to terminate the session or to send a text message to the operator (Figure 1). This is the default behavior. z The end user is prompted to approve the remote control session before it is started (Figure 2). z The remote machine is set into a locked state prior to the start of the remote control session. z Remote control services are disabled on the local machine. z No visual notification is displayed on the end-users machine (Stealth mode). Additional behaviors can be defined after a remote control session is terminated: z Set the machine in a locked state. z Log off the user. z Display a notification message to the end user indicating that the machine was remote controlled. z Send a notification email to someone. Auditing Remote Control Activities Accountability and traceability are essential to a remote administration solution. Goverlan registers an audit trace for every remote control session executed. 5

Goverlan Remote Control audits provide the following information: z The identity of the administrator who initiated the remote control session (login ID) z The name and IP address of the machine from which the remote control session originated. z The identity of the user logged-in to the machine if any. z The start date & time stamp of the remote control session. z The end date & time stamp of the remote control session. z Whether or not the remote control session was in stealth mode. z The protocol used to make the RC connection. Default Auditing By default, Goverlan audit traces are registered locally on the remote machine in two locations: z In the application event log z As proprietary information in the registry (which can be queried remotely via the Goverlan Remote Control and Goverlan Management Console products) Advanced Auditing Centralized and secured auditing can be configured using the Goverlan Central Server (See: Centralized & Secured Settings Distribution and Auditing) Centralized & Secured Settings Distribution & Auditing The behavior to be adopted by the Goverlan solution on the operator and client side is configurable and manageable centrally. Behaviors dictate global configurations such as communication port, remote control session approval modes and notifications, auditing and many other aspects of control. Ad-hoc security behavior The ad-hoc behavior of Goverlan resulting from a default implementation of this solution is neither loose nor overwhelmingly secure. It is configured to answer the security requirements of most environments: z Local administrative privileges are required to install/update the Goverlan agents. z The right to perform Active Directory tasks and remote machine management tasks is granted based on the Windows account s privileges. z Local administrative privileges are required to initiate a remote control session. Once authorized, remote control sessions are automatically approved, and a visual notification banner is displayed on the end-user s screen. z Remote control sessions audits are registered locally on the machines being remote controlled. 6

Centrally Manage Behavior using a GPO To centrally configure and manage the behavior of the Goverlan solution across your infrastructure, you can optionally use the provided Group Policy Administrative Template. The Goverlan GPO allows you to centrally configure every behavioral aspect of Goverlan on the operator and client side. You can additionally use the Goverlan GPO to customize most text displayed on the client machines, enabling you to personalize the user interface to include company or department information. Centrally & Securely Manage Behavior and Auditing using the Goverlan Central Server If the configuration of global settings via a Group Policy Object does not answer your compliance and security requirements, you can implement the Goverlan Central Server. The Goverlan Central Server (GCS) allows you to centrally and securely manage behaviors and auditing. Using the GCS, settings distribution and audit registrations are performed directly from every Goverlan end-point to the Goverlan server using an encrypted channel, bypassing locally configured settings or registry values. These settings and audit traces cannot be tampered with, even by local or domain administrators. Conclusion Goverlan has been designed to fulfill the IT needs of many diverse business cultures while preserving security and integrity. This is done by integrating with the existing security infrastructure instead of adding a proprietary layer of authentication and hosted credential stores. Every piece of communication is encrypted and then authenticated before being processed. Every remote control session is audited and can be traced. Finally, the security settings controlling the behavior of Goverlan can be securely distributed and controlled centrally. We believe that the level of security provided with the implementation of Goverlan will answer all security requirements. If some security concerns have not been addressed by this document, please ask our support department at www.goverlan.com/support. 7

Appendix List of Figures Figure 1: Figure 2: 8

Published by Goverlan, Inc. 2655 S Le Jeune Road S1001 Miami, FL 33134 Copyright 2015 Goverlan, Inc. Goverlan is a registered trademark of Goverlan, Inc. This publication may contain the trademarks and service marks of third parties and such trademarks and service marks are the property of their respective owners. THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS AND SERVICES IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBIL- ITY FOR THEIR APPLICATION OF ANY PRODUCTS AND SERVICES. www.goverlan.com 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information