The DameWare Mini Remote Control program has a multitude of security and encryption features to help users comply with security guidelines:
Authentication
MRC supports the ability to use four different Authentication methods, three of which are integrated within the Operating System's security. This allows users to define security policies within the Operating System that effectively allow or prevent an MRC connection from being established. The MRC program always authenticates locally to the remote machine using one of the four available authentication methods. The MRC Application does not increase or decrease the level of rights or permissions a user has within the Operating System. For instance, if an MRC user has Administrator rights within the Operating System of the remote machine to which he or she is connecting, the user will have Administrator rights when he or she logs into the Operating System. Note that the MRC Application does not log a user into the Operating System of the remote machine. It simply establishes a remote connection to the remote machine's desktop. If no user is currently logged into the remote machine, the MRC user will have to login to the Operating System just as if he or she physically walked up to the remote machine.
For detailed information and descriptions of the four available authentication methods, please see the Help Topic entitled, "Authentication Methods and Types" in the Additional Information and Instructions section.
Restricting connections
MRC includes a number of helpful features within the MRC Client Agent Service that can restrict MRC connections to the remote machine on which the Service is installed and running. Note that Administrator rights are required within the Operating System of the remote machine to install, remove, start, stop, upgrade, downgrade, or modify the settings of the MRC Client Agent Service.
The General tab of the MRC Client Agent Service settings allows the various authentication methods to be enabled or disabled. Clicking on the "Session" button will also allow a Shared Secret key to be set. This is an extra password, customizable, that serves as an added security feature supplementing the authentication method.
The Access tab of the MRC Client Agent Service settings includes specialized settings for Administrators as well as Non-Administrators who may connect to this remote machine. These settings are described in detail in the Help Topic entitled "Settings" under the MRC Client Agent Service section.
Connections can be filtered (allowed or denied) by using the IP Filter feature within the MRC Client Agent Service. Note: This applies only to IPv4 Addresses.
MRC connections can be restricted based on Group Membership. Using the "Must be a member of the following Group(s)" will allow MRC connections to be restricted to only members of the specified Local or Global group. Only MRC users that connect with credentials that are also members of one of the Groups listed will be allowed to connect.
Logging
The MRC program provides three different logging features.
DWMRCS app event logs:
Each time an MRC user connects to a remote machine, attempts to connect to a remote machine, or Disconnects an MRC session from a remote machine, the MRC program automatically writes DWMRCS entries into the Application Event Log on the remote machine. In addition to a multitude of connection information, the DWMRCS Application Event Log entries will contain the specific information about the machine the MRC user connected from as well as what User Name was used to establish the MRC connection. For security reasons, this functionality cannot be disabled within the MRC program.
Centralized logging:
The Centralized Logging feature allows Administrators to send duplicate copies of the previously mentioned DWMRCS Application Event log entries to a separate, independent centralized logging server. The MRC Client Agent Service must be installed and running on the designated logging server as well as on all the remote machines from which duplicate DWMRCS logs will be sent. Click on the Logging button on the Additional Settings tab of the MRC Client Agent Service settings to access this feature.
Email notification:
The Email Notification feature can be enabled within the MRC Client Agent Service to send an email to the specified email address each time an MRC connection is established to the machine using the MRC program.
Encryption
For MRC connections, no credentials or any other session negotiation information is sent over the wire in Clear Text. It is all encrypted. MRC supports Strong encryption for Authentication and session negotiation (key exchange). It does this by using Microsoft’s Cryptographic Service Providers & CryptoAPIs built into the Operating System. Additional encryption options are also available for general data, images, and Simple File Transfers. MRC always uses multiple encryption algorithms (ciphers), and it will always try to negotiate (via Key Exchange) the strongest keys possible based on what the local & remote machines Crypto Subsystem can agree upon and by the settings defined in the Session Negotiation options within the MRC Client Agent Service.
MRC also includes RSA's BSAFE Crypto-C ME encryption modules, which are FIPS 140-2 level certified by NIST. Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor, FIPS 140-2, are US Government standards that provide a benchmark for implementing cryptographic software. DameWare Development, LLC has partnered with RSA Security, Inc. to use the BSAFE Crypto-C Micro Edition cryptography module, which has met all Level 1 requirements for Federal Information Processing Standards (FIPS) 140-2 compliance when operated in "FIPS Mode." When the "FIPS Mode" options are set, the MRC software will exclusively use the BSAFE Crypto-C ME FIPS 140-2 validated cryptographic library, which in turn will only allow FIPS-approved algorithms to be utilized. More information is available at the following reference:
RSA Security Encryption Software Receives FIPS 140-2
Validation
http://www.rsa.com/press_release.aspx?id=5691
The FIPS Validation certificate is also available for review on
the NIST website:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140crt/140crt1058.pdf
FIPS mode can be enabled by selecting the Host Entry from the MRC Application's Browser, clicking on the Settings button, then selecting the Encryption Options Tab and enabling the "Enable FIPS Mode" checkbox. Note: The FIPS modules must also be installed with the MRC Client Agent Service on the remote machine.
***When not running in FIPS Mode, MRC exclusively uses Microsoft's cryptographic services providers (CSPs) & CryptoAPIs within the Operating System. The Encryption Algorithms used can be anywhere from a minimum of RC4 (primarily used for older Operating Systems such as NT4) to a maximum of AES 256. For Example: AES 256(Key length: 256 bits), 3DES/Triple DES (Key length: 192 bits), and RC4 (Key length: 128 bits).
Forcing encryption
In addition to these Encryption options being available for use within the MRC Application, there are settings within the MRC Client Agent Service to guarantee that every MRC connection to the remote machine meets a designated level of encryption. On the General tab of the MRC Client Agent Service settings, there is a Session button that when selected, will open the Session Negotiation settings. The "Allow only FIPS Mode" setting can be enabled here. Clicking on the Force button will allow encryption options to be enabled that will require all MRC connection attempts to meet these other pre-defined settings.
Permission Required
The “Permission Required” behavior depends primarily on the level of rights an MRC user has within the Operating System security. The desktop state of the remote machine at the time of the MRC connection attempt and the two permission required settings within the MRC Client Agent Service also factor into this behavior.
For MRC users connecting with Non-Administrator credentials, the settings on the Access tab of the MRC Client Agent Service must be considered. These settings are the following: "Permission Required for these Account Types," "Disconnect if at Logon Desktop," and "View only for these account types." Enabling the "Permission Required for these Account Types" setting will require the currently logged on user of the remote machine to "Allow" the MRC connection from the Non-Administrator.
For MRC users connecting with Administrator credentials, the "Permission Required" setting on the Additional Settings tab of the MRC Client Agent Service must be considered. Enabling this setting will require all MRC connection attempts to be "Allowed" by the currently logged on user of the remote machine. Note: The "Permission Required" setting on the "Additional Settings" tab will override the "Permission Required for these Account Types" setting and prompt every connection attempt for permission.
***When an MRC connection is attempted to a remote machine that is NOT at the Logon Desktop or Lock Screen, hence a user is currently logged into the desktop, if "Permission Required for these Account Types" is enabled, the currently logged on user will be prompted to Allow or Deny the non-Administrator's connection attempt. If it is not enabled, the Non-Administrator will be allowed to connect without permission in "Non-Administrator Mode."
More information on all the aforementioned settings on the Access tab and Additional Settings tab of the MRC Client Agent Service can be found in the Help Topic entitled, "Settings" in the MRC Client Agent Service section.