Symantec pcAnywhere Security Best Practices
|Article:DOC5475|||||Created: 2012-03-27|||||Updated: 2012-10-04|||||Article URL http://www.symantec.com/docs/DOC5475|
This document details the enhanced security changes made in pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7, how key areas of these enhancements work, and some of the steps that users should take to reduce security risks.
SSL handshake and encryption for TCP/IP
TCP/IP connections are now secured with SSL using 256- or 128-bit encryption. A “None” option is also provided to omit encryption; however, data integrity checks are still made.
Symantec recommends using the default 256-bit encryption for optimal security. The 128-bit and “None” options are provided for performance-sensitive secure environments.
pcAnywhere Quick Connect will not connect unless the host is configured for AES 256 encryption.
Self-signed SSL certificates
pcAnywhere uses self-signed SSL certificates. Two key files are used: host.key and host.cer. Host.key contains the private key and Host.cer contains the X.509 certificate that contains the public key. The private key is protected by ACLs that only allow administrators, power users, and SYSTEM to access it.
Warning: The private key file must be protected.
If an unauthorized person gains access to the private key file they may be able to either masquerade as the host or perpetrate a man-in-the-middle (MITM) attack on anyone who attempts to remotely control a host.
If you suspect that the host private key has been compromised, you can generate a new one by completing the following steps:
- Stop the host process.
- Delete the private key file and the certificate file.
- Clear the Trusted Certificate list.
For instructions, see the “Trusted Certificates list” section of this document.
- Restart the host process.
During this process, when the host is started and the key files are not present, a new set is generated automatically.
SSL thumbprint verification
SSL thumbprint verification is used by remote users to validate the authenticity of the host. This verification must be done in order to create a secure connection between the remote and the host and to protect against a MITM attack.
By default, when a remote user attempts to connect to a host via TCP/IP, that user will be presented with a dialog box that displays the thumbprint of the public key of the host. The remote user should match the thumbprint in this dialog box to that of the host.
This thumbprint is not secret. It can be printed, emailed, or communicated over the phone. The thumbprint is stored in the host directory in cert.thumbprint.txt.
If the remote user accepts the host certificate by clicking Accept Always, the host’s public key is stored locally in the Trusted Certificates list and will be accepted automatically for future connections. For more information about the Trusted Certificates list, see the “Trusted Certificates List” section in this document.
A new 256-bit encryption level is now provided for modem communications. Symantec recommends using the new encryption level. Symantec recommends only using lower levels of encryption if security is of less or no importance, though these options may have better performance in some environments.
The security used for modem communication does not include a thumbprint validation step and is therefore susceptible to host impersonation or MITM attacks. To perpetrate one of these attacks, the attacker must be able to actively manipulate signals on the telephone line. If the attacker can only observe the communication on the line, there is no vulnerability.
Accept prompt timeout change during upgrade vs. new install
The default timeout has increased from 10 to 30 seconds.
AES256 is the default encryption level for all connections. Symantec recommends checking the security default settings manually. To check the security default settings, complete the steps in this section.
Also, in the case that you upgraded to pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7, the Prompt to confirm connection setting will not be changed from what you had it set to before the upgrade. To set this setting and to check the other default settings, complete the steps in this section.
- In pcAnywhere, navigate to Host Options > Security Options and select the following settings:
- Prompt when receiving a remote TCP/IP session request - This setting determines if the thumbprint dialog box will appear on the host.
- Prompt to confirm connection - This setting determines if the dialog box is displayed that prompts the host user to approve or deny the remote control request. If the prompt is displayed and the timeout is reached (30 seconds by default), access is denied unless the remote user is a super user, in which case access is granted. If the prompt is not displayed, the connection is continued for any remote user.
- Navigate to Remote option > Encryption and select the following setting:
- Prompt when connecting over TCP/IP untrusted/unknown hosts - This setting determines if a prompt is displayed with the thumbprint of the host's public key.
The host prompt to display TCP/IP session requests will only be displayed if the remote TCP/IP prompt is also selected and the remote user does not accept or cancel within five seconds.
The host prompt displays five seconds after it passes its public key to the remote computer. The session request will continue if the remote prompt is not set to present untrusted networks, the host’s certificate is already in the Trusted Certificates list, or the remote user chooses to Trust or Deny the connection within five seconds. When the connection continues, the host user is then prompted to confirm the connection by default.
Connection handshaking steps
|Step||Remote computer||Host computer|
|1||If Prompt when connecting over TCP/IP untrusted/unknown hosts is selected, the remote registers for callback using the ssl_ctx_set_verify API.|
|2||The remote initiates the connection by calling ssl_connect.|
|3||The host accepts the connection request by calling ssl_accept.|
|4||The host schedules the host thumbprint dialog to appear in 5 seconds.|
|5||If the remote registered for callback in step #1, the callback function on the remote is now called and the remote thumbprint dialog is displayed.
||*If the remote user chooses Deny, the connection will be aborted and the host thumbprint prompt will either not display if it is prior to the 5 second delay or will be closed automatically if it was displayed.
The Close button was included on the prompt so the remote user can close it. However, if the remote user clicks Trust or Deny, the connection continues or is aborted and the host prompt will close automatically.
|6||The handshake process continues and the connection is established.|
|7||If the host thumbprint window has not been displayed yet (there is a five-second delay), it is now cancelled so that it is not displayed.|
|8||The remote sends authentication information to the host.|
If the host is configured to prompt (host option #2), the dialog is presented at this time.
If the user on the host chooses Yes/Accept, the information is used to authenticate the user and the process continues.
If the user on the host chooses No/Deny, the connection is closed by the host.
The old certificate management has been removed. By default, the new trust system will prompt the remote administrator to set computer trust settings. If the administrator chooses Trust Always, the computer is added to the Trusted Certificates list and will not prompt the administrator when connecting to this same computer. If the administrator chooses Trust Once, during the next connection, the trust prompt will be displayed again.
Trusted Certificates List
The Trusted Certificates list is a file of trusted host computer certificates. This list is stored in the trusted_certs.PEM file. If you suspect the host private key has been compromised, you should delete the trusted_certs.PEM file. All hosts will need to be trusted again.
Imaging a pcAnywhere computer
For instructions, see the following article:
When encryption is set to “None,” pcAnywhere passwords are sent in plain text.
In all cases, Symantec recommends that you do not use your domain administrator credentials for remote access. Instead, create a new security credential for the purpose of remote control. Symantec also recommends following standard password policies such as:
- Cycle passwords often
- Use strong passwords
- Limit the access and distribution of security credentials
- Limit the privileges and permissions of the remote access credentials
The host and remote configuration files are stored on-disk in an encrypted format. These files are encrypted with a key that is unique to each computer. If a computer is cloned from another computer that has pcAnywhere installed, the key will be the same and the computers will be able to read each other’s files.
By default, only administrators, power users, and SYSTEM have access to the host configuration files. Also by default, all users on the computer have access to the remote configuration files. Although these files are encrypted, they are not secure. Anyone who has access to these files may be able to decrypt the file and look at its contents. To secure any of these files, appropriate ACLs must be set on the file.
Note that no encryption is performed on Mac or Linux systems. Use file permissions to protect files on these systems.
Importing and exporting configuration files
By default, host and remote configuration files will be encrypted. If you wish to move one of these files to another computer, you must first remove the encryption using awFileMgr.exe.
After you remove the encryption, you can move the file to a new system and import it using the same tool. The import process encrypts the file with the key of the new computer.
For information on how to decrypt a host or caller file to send to support or use with Symantec Packager, see the following article:
Running the host and remote
Which users can run the host
Administrators and power users can run the host process. These users have access to all of the host configuration files, the private key, and the X.509 certificate.
Which users can run the remote
Any user who can log onto the box can run the remote. These users have access to all of the remote configuration files and the Trusted Certificates list.
Context of users running on the host
Remote users who are allowed to connect to a host may be able to make changes to the host system that would compromise the system. Some of the actions that a remote user can do only during a remote session include:
- Launch an admin command prompt
- Reboot the computer
Note that when the host is running as a service, the prompt for credentials will appear. However, if the host is running as an application, credentials will not be requested.
Internet-based remote control sessions
In pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7, Access Server is not supported. pcAnywhere Access Server is not secure for Internet-based remote control sessions. As a result of the source code being exposed, Symantec no longer recommends using Access Server.
In the absence of Access Server, Symantec recommends that you use VPN for Internet-based remote control sessions.
“Unable to attach to specified device” error
The “Unable to attach to specified device” error message is displayed in a number of cases, including if there is mismatched host data port settings between the remote and host from mismatched versions of pcAnywhere. To determine the root of the problem, complete the following steps in order.
- Make sure that both the remote and the host are using the same encryption.
- Review the authentication type and make sure that you are entering correct credentials.
- As an administrator, regenerate the host/key files found the following locations by deleting them and restarting the pcAnywhere console:
Vista or greater: C:\ProgramData\Symantec\pcAnywhere\Hosts
XP: C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\Hosts
- Make sure that you have a proper network connection to the host system. Check that your firewall is properly configured, you can ping the host system, etc.
Article URL http://www.symantec.com/docs/DOC5475