INSIDE. Secure Remote Control for IT Support Organizations

(1)

INSIDE

Secure Remote Control for IT Support Organizations

(2)

∆

Executive Summary

Information Technology (IT)professionals today are expected to support a growing number of users, many working remotely, who are using increasingly complex hardware and software systems. At the same time, I T budgets are being curtailed. Support organizations need a way of handling the increased workload effectively.

Remote control software, which allows a helpdesk technician to assume control of a user’s P C

or an unattended server over a network, has proven to be a cost-effective way of providing remote s u p p o rt. With remote control software, call time is reduced and first-call resolution is impro v e d , allowing the helpdesk to handle more calls with the same number of, or even fewer, helpdesk technicians. Upgrades, conversions, and installations can be handled uniformly throughout the o rganization. And timely, accurate problem resolution results in greater customer satisfaction with the support process.

While the benefits are significant, some organizations have expressed concern that remote contro l s o f t w a re could expose data on individual P Cs or the corporate network to unauthorized use. A d d ressing security re q u i rements in the areas of authentication, authorization and access contro l , perimeter and data transfer security, and administration could allay these concerns.

This paper examines how remote control products provide a cost-effective helpdesk tool and defines necessary security requirements for these products. The paper then outlines the features of Symantec pcAnywhere™_10.0_{, Symantec’s remote control solution.}

(4)

∆

Security Concerns Limit Acceptance of Remote Control Software

ITprofessionals today are faced with the challenge of supporting more users, while reducing support costs. The increasing complexity of P Cs o f t w a re, hard w a re and networks, as well as the gro w i n g number of users accessing the network from remote locations, complicates these re q u i re m e n t s . Value Added Resellers (VARs) also need a way of delivering support services to their customers, while reducing travel expenses.

As a solution to these needs, remote control software has evolved from a remote access product into a cost-effective support tool that simplifies troubleshooting and problem resolution. Examining this solution, this section addresses the following:

• Remote control software as a helpdesk tool • The financial benefits of remote control software • Security concerns with remote control software

REMOTE CONTROL SOFTWARE AS A HELPDESK TOOL

Helpdesk technicians typically attempt to troubleshoot and resolve support problems over the telephone. Because directions must be given and received verbally, this can be a time-consuming and frustrating experience for both users and technicians. Users eagerly seek resolution of the p roblem and consider any time they spend on the phone troubleshooting as time away from i m p o rtant tasks. Helpdesk technicians may not clearly understand problems as described by non-technical users. Complicating the process, with the flexibility of today’s desktop software, users c o n f i g u re their screens to match their personal work style. Hence, technicians and users may not be viewing the same screens while discussing the problem. Often a single problem requires multiple calls or, when a problem cannot be resolved over the phone, a technician may be dispatched to the user’s site—a time consuming and expensive solution even when the user is down the hall.

Remote control software removes the user from the support transaction by enabling the technician to assume control of a user’sPCover the network. The technician works with the PCas if it was local and sees directly what is happening on the user’s computer screen. The corresponding boost in s u p p o rt productivity means that each helpdesk technician can handle a higher volume of calls. S t a ffing re q u i rements may be reduced, and user satisfaction with the helpdesk function incre a s e s . Remote control software also facilitates remote training, in which users learn by example.

In addition to internal helpdesks, VA Rs and other organizations that provide customer support benefit f rom remote control software. For example, a VA Rmay include a copy of Symantec pcAnywhere along with each copy of their accounting solution. When a customer reports a problem, the VARcan p rovide quality telephone support without the need to dispatch a service re p resentative to the c u s t o m e r’s site. This speeds problem resolution and improves the customer satisfaction with the support process. It also reduces travel expenses and allows VA Rs to concentrate on their c o re business. At large VA Rs, the sales organization can spend more time selling, and the technical o rganization can spend more time developing and enhancing products. At small VA Rs, where the sales organization and technical organization may be the same person, a shorter support call directly increases the time that the VARcan spend developing new business.

(5)

Remote control software is also used to diagnose and solve problems on servers. For example, banks and other financial institutions need twenty-four hour access to their databases to rapidly re s o l v e problems that may arise.

In addition to problem troubleshooting and resolution, remote control software allows helpdesk o rganizations and VA Rs to efficiently install, configure, and upgrade software for local and remote P Cs , as well as servers. This facilitates creation and maintenance of a standard computing enviro n m e n t , which in turn is easier to support. The Help Desk Institute identified upgrades, conversions, and installations as one of the top three reasons for increased helpdesk calls and call length.1_{The other}

two reasons are additional customers and newer, more complex technologies.

Due to the scalability of remote control software, this support solution is appropriate for small or l a rge corporations, as well as VA Rs with local, regional, or national distribution. In each case, the o rganization benefits from avoiding the hiring of dedicated support personnel at a remote location, or from incurring the travel expense of dispatching a support technician to the remote site.

FINANCIAL BENEFITS OF REMOTE CONTROL SOFTWARE

The benefits of remote control software can be significant, lowering annual helpdesk costs by 6to 13

p e rcent. Cost savings result from reducing the size of helpdesk support staff, solving problems more rapidly and with fewer repeat calls. For example, Forrester Research, Inc. found that an org a n i z a t i o n with 2 0 , 0 0 0end users and a $ 2 . 9million helpdesk budget could save approximately $ 3 3 8 , 0 0 0t h ro u g h the use of desktop remote control software.2_{Savings are based on improving first-call resolution by}

7 percent and cutting five helpdesk technicians. The scenario assumes an annual salary of $ 5 9 , 0 0 0

per call-taker, $ 8 1 , 0 0 0per deskside technician, and $ 6 8 , 0 0 0per network administrator.

A c c o rding to International Data Corporation ( I D C ), the worldwide market for remote contro l / re m o t e access software will increase at a compound annual growth rate (CAGR)of 12.8%from $349.2million in 1999to $638million in 2004. Shipments will increase from 19.5million units in 1999to 60million in

2 0 0 4.3_{Troubleshooting and problem resolution capabilities provided by remote diagnostic tools will}

fuel this dramatic growth.

SECURITY CONCERNS WITH REMOTE CONTROL SOFTWARE

Although remote control software provides a powerful tool for helpdesk support, it also raises security issues. Without proper security features, remote access software could expose data on individual P Cs and the corporate network to unauthorized use, potentially disclosing trade secrets, confidential personnel records, and financial information.

As the number of remote users grows, maintaining security becomes even more of a challenge. A c c o rding to I D C, by 2 0 0 3roughly 1 3 . 5million employees will work from home. This estimate concern s only those employees who regularly work at home. It excludes branch-office workers and traveling employees who also re q u i re remote helpdesk support.4

(6)

∆

Security Requirements of Remote Control Software

To maintain the security of an org a n i z a t i o n ’s data and network re s o u rces, remote control software should support the existing network security infrastru c t u re, including both network- and desktop-based security. Integrating with the security system already in place leverages the company’s investment, reduces the cost of managing security for remote control sessions, and simplifies management. Most import a n t l y, such integration enables enterprises to confidently deploy and realize the benefits of remote control software without concerns of adverse security impacts. Remote control software should support security requirements in the following areas: • Authentication

• Authorization and access control • Perimeter and data transfer security • Administration

AUTHENTICATION

Although no authentication technique is foolproof, requiring the use of passwords or other forms of authentication before a remote session commences discourages unauthorized access. In addition, such authentication approaches prevent users from inadvertently launching an unprotected host session. In evaluating a remote control product, check to see if it supports authentication methods that the organization is already using. Support of multiple, standard authentication methods allows the I Ts t a ff to leverage existing user name/password lists. Longer, complex passwords, that include alphanumeric characters and symbols, are more difficult to crack.

AUTHORIZATION AND ACCESS CONTROL

With remote control software, authorization or access control involves remote access by a user to a P C, remote access of a shared dire c t o ry, or helpdesk technician access to the P Cs of all supported users. Remote control software should be able to limit access to computers within a specific subnet or to specific T C P / I Pa d d resses. Another effective way to block unauthorized access is by embedding a “serialization” code into the host and remote portions of the remote control product. A Symantec p c A n y w h e re host that has been serialized will only accept connections from a remote computer with the same serialization number. If the serialization number does not exist, the connection cannot be established. A company can utilize the same serialization code throughout their organization to eff e c-tively prevent someone from connecting with a standard retail version of the remote control software . In support situations, the host user should be able to confirm or deny access. When using a modem connection, call back capabilities in which the host disconnects the call and then calls the re m o t e back on a pre-entered phone number, helps to prevent unauthorized access.

In addition to protecting P Cs and servers from remote access, the system should include desktop-security features such as monitor and keyboard locking that pro t e c t an unattended host or server during remote control sessions. Disabling the host s c reen ensures privacy during remote control sessions in which a user is not pre s e n t . The helpdesk technician uses the remote to connect to a host on the end-user’s c o m p u t e r. This allows the technician to assume control of the host computer and solve the problem.

(7)

PERIMETER AND DATA TRANSFER SECURITY

Remote control software should support Vi rtual Private Network ( V P N )technology to permit secure Internet connections through a firewall, as well as over a corporate intranet. This allows organizations to provide remote access without jeopardizing security. The VPNclient should operate transparently, p rompting for authentication credentials whenever the user attempts to penetrate a firewall. The system should be able to disallow telephone connections and re q u i re that remote control sessions occur only through a direct network connection.

Securing the data stream in transit during remote contro l sessions is as important as preventing unauthorized access. The data control software should support encry p-tion services such as the Microsoft®_Crypto_API_(Application

Programming Interface) and public key infrastructure (PKI) to prevent eavesdroppers or hackers from interc e p t i n g and/or altering data during transmission.

ADMINISTRATION

If the remote control software integrates with existing authentication systems, the administrator maximizes e fficiency and reduces costs by avoiding creation and

management of a separate database of user I Ds and passwords. For example, if an employee leaves the company, the administrator can delete the user ID f rom the central user database, p reventing that user from accessing network resources.

Integration of the remote control software with enterprise network management solutions such as Micro s o ft®_{Systems Management Serv e r, Ti v o l i}®_{N e t Vi e w}®_{, and Computer Associates}™_{U n i C e n t e r}

T N Gis desirable. Integrated messaging allows the administrator to manage the remote support solution from the same console used for managing other network re s o u rces and provides rapid notification of potential security breaches.

Since thorough alerting, logging, and re p o rting are essential to a secure environment, the re m o t e control software should generate an audit log of all remote control transactions, including disallowed attempts at connection. This enables the administrator to monitor activity and detect unauthorized attempts to access systems. To prevent hackers from altering the log to hide their activities, securing the log is recommended. In addition, generating an SNMPalert whenever a number of unsuccessful attempts to connect to a host PCare detected permits real-time monitoring of suspicious activity from a network management console.

Enabling the I Tadministrator to lock-in the security settings of the client remote control software e n s u res consistency and protects users from inadvertently exposing their systems to unauthorized access. This feature also prevents unauthorized users from reconfiguring the software for their own purposes. Remote control software with integrity checking features identifies changes since the original installation. If changes are detected, indicating potential rogue installations, the product will not function.

Symantec pcAnywhere offers more security options and features than any other remote control application. 3 levels of encryption protect the data stream between the host and remote. Unauthorized connections are eliminated with serialization, IP screening and 9 different authentication methods. Integrity checking can also be used to prevent tampering with the pcAnywhere host.

(8)

∆

Symantec pcAnywhere

10.0 Provides Secure Remote Control

Technicians can use pcAnywhere from Symantec Corporation to securely diagnose and solve problems on remote servers, desktop computers, and mobile laptop computers—all without leaving the helpdesk.

The latest version, Symantec pcAnywhere 1 0 . 0, includes significant security enhancements in the following are a s :

• New security features prevent unauthorized connections • Encryption tools protect data transmission

• Centralized administration tools identify security risks and improve efficiency

NEW SECURITY FEATURES PREVENT UNAUTHORIZED CONNECTIONS

In order to prevent unauthorized connections to a Symantec pcAnywhere host, new security features have been added in the areas of authentication and access control.

P revious versions of Symantec pcAnywhere support N Tauthentication and Symantec pcAnywhere authentication. To p rovide centralized user management for any size company, re g a rdless of the net-work infrastru c t u re , Symantec pcAnywhere 1 0 . 0s u p p o rts the following additional authentication methods for Microsoft®_{, Novell}®_{, and Web-based environments:}

• Active Directory

• Novell Directory Services • Novell Bindery

• Generic LDAP

• FTP

• HTTP

• HTTPS

Symantec pcAnywhere now requires an authentication method and mandatory password for all host sessions. This prevents users from inadvertently launching an unprotected host session.

One of the best ways to ensure security when remote control software is installed is to restrict connections from outside the organization. Symantec pcAnywhere 1 0 . 0p rovides two ways to accom-plish this objective: 1 )limitation of connections to a specific T C P / I Pa d d ress range, and 2 )s e r i a l i z a t i o n .

T C P / I P a d d ress range:Symantec pcAnywhere hosts can be configured to accept only T C P / I P

connections that are within a specified subnet or limited to specific T C P / I Pa d d resses, enabling restriction of connections to employees.

S e r i a l i z a t i o n :I Tp rofessionals can embed a security code into the Symantec pcAnywhere host

and remote object executables. This security code must be present on both ends before a connection is established. By limiting connections to their serialized copies of Symantec p c A n y w h e re, the organization effectively prevents outside access through use of a purchased copy of Symantec pcAnywhere.

(9)

In addition, a number of new security features in Symantec pcAnywhere 1 0 . 0p revent unauthorized users from connecting to the host.

Callback security for dial-up connections:In a typical Symantec pcAnywhere session, the re m o t e

PCconnects to the host, and the session begins. When callback is enabled, the remote calls the host, but the host drops the connection before returning the call at a specified phone number.

P rompt to confirm connection:This security feature prompts the host to permit or reject the

connection with the remote caller. When this feature is enabled, users are aware whenever a remote connection is being established.

Login re s t r i c t i o n s :Symantec pcAnywhere allows host users to limit the number of times a re m o t e

user can attempt to login during a single session. In addition, hosts can limit the amount of time permitted for a remote user to complete a login.

Restrict connections after abnormal end of session:Host users can prevent remote users fro m

reconnecting to the host if the session is interrupted abnormally.

ENCRYPTION TOOLS PROTECT DATA TRANSMISSION

Symantec pcAnywhere 1 0 . 0o ffers three levels of encryption to protect the data stream during transmission between the host and remote P Cs: Symantec pcAnywhere encryption, symmetric e n c ryption, and public key encryption. The software ’s new encryption wizard helps users set up public key encryption.

CENTRALIZED ADMINISTRATION TOOLS IDENTIFY SECURITY RISKS

Symantec pcAnywhere 1 0 . 0f e a t u res several new tools that help administrators identify potential security risks.

Remote Access Perimeter Scanner ( R A P S ):R A P Shelps I Tp rofessionals plug security holes

by scanning their network and telephone lines to identify unprotected remote access hosts (i.e., Symantec pcAnywhere hosts as well as hosts from other remote access/control applications). Using R A P S, helpdesk administrators can automatically shut down a Symantec pcAnywhere host that is not password protected. This tool provides I Tp rofessionals with a way to assess the vulnerability of their network in terms of remote access products.

In addition to Symantec pcAnywhere hosts, R A P Scan detect hosts that are launched from other remote access products such as LapLink®_{, Compaq}®_{Carbon Copy, and Netopia}®_{Ti m b u k tu}™_.

Although R A P Scannot automatically shut down these hosts, it provides the I Pa d d ress or telephone number and computer name needed to identify and disable them manually. This functionality alerts

ITprofessionals of possible rogue installations of other applications.

Integrity checking:Integrity checking is a new feature in Symantec pcAnywhere 1 0 . 0that, when

enabled, ensures that Symantec pcAnywhere installations remain unchanged. This feature verifies that the host and remote objects, D L Lfiles, executables, and re g i s t ry settings have not been modified since the original installation. If changes are detected to these files, Symantec pcAnywhere will not launch.

(10)

I m p roved centralized logging:For security and auditing purposes, Symantec pcAnywhere 1 0 . 0

includes support for the logging of all files and applications that are accessed on the host during a remote control session. Symantec pcAnywhere also logs all remote control activity such as login attempts, file transfers, and session start/end times.

Events can be logged to the Symantec pcAnywhere log, NTEvent Log, or an SNMPmonitor.

∆

Conclusion

Remote control software provides internal helpdesks and VA Rs u p p o rt organizations with a cost-e ffcost-ectivcost-e support tool. By gaining dircost-ect acccost-ess to thcost-e uscost-er’s P C, desktop technicians and other support personnel can quickly diagnose and resolve problems and upgrade remote desktops without leaving their desks.

Despite the benefits in terms of increased productivity and reduced support costs for overworked

I Td e p a rtments, some organizations have been reluctant to install remote control products because of the potential security risks. Symantec pcAnywhere 1 0 . 0focuses on these security issues and includes new features that help prevent unauthorized access and protect file transfers. Wi t h Symantec pcAnywhere 1 0 . 0, I To rganizations can confidently realize the promise of remote contro l software today.

∆

Reference

1_{Doherty, Sean, “Helpdesk Salvation,”}_{Network Computing}_{, April 2,}₂₀₀₁

2_{“High-impact measures for improving help desk efficiency,”}_eWeek_{, February}₁₇_,₁₉₉₉

3_{Drake, Stephen D,}_{Worldwide Remote Control/Remote Access Software Market Forecast and}

Analysis, 1999–2004,IDCReport#W22255– May 2000

4_{Wilde, Candee, “Telework Programs Speed Up: High-speed access technologies like cable}

modems and DSL give telecommuting a lift,”Internet Week, April 17,2000

(11)

W O R L D H E A D Q U A RT E R S

20330 Stevens Creek Blvd. C u p e rtino, CA 95014 U.S.A. 1 . 4 0 8 . 2 5 3 . 9 6 0 0

For Product Information In the U.S., call toll-free 800-745-6054.

SYMANTEC CORPORATION, A WORLD LEADER IN INTERNET SECURITY TECHNOLOGY, PROVIDES CONTENT AND NETWORK SECURITY SOLUTIONS TO INDIVIDUALS AND ENTERPRISES. THE COMPANY IS A LEADING PROVIDER OF VIRUS PROTECTION, VULNERABILITY A S S E S S M E N T, INTRUSION PREVENTION, INTERNET CONTENT AND EMAIL FILTERING, REMOTE MANAGEMENT TECHNOLOGIES, AND SECURITY SERVICES TO ENTERPRISES AROUND THE WORLD.

HEADQUARTERED IN CUPERTINO, CALIFORNIA, SYMANTEC HAS OPERATIONS IN THIRTY-SEVEN COUNTRIES. SYMANTEC PRODUCTS ARE SOLD THROUGH A WORLDWIDE NETWORK OF CORPORATE, VALUE ADDED RESELLERS, AND RETAIL CHANNELS.

SINCE IT FIRST BEGAN SHIPPING TEN YEARS AGO, SYMANTEC PCANYWHERE HAS WON, AMONG OTHER AWARDS, THE EDITOR’S CHOICE AWARD FROM NETWORK COMPUTING, THE ANALYST CHOICE AWARD FROM PC WEEK, AND THE EDITOR’S CHOICE AWA R D FROM PC MAGAZINE. FOR MORE INFORMATION ON SYMANTEC PCANYWHERE, OR TO DOWNLOAD A TRIAL COPY OF THE PRODUCT, PLEASE VISIT THE ENTERPRISE SECURITY PORTION OF SYMANTEC’S WEBSITE AT HTTP : / / ENTERPRISESECURITY.SYMANTEC.COM

INSIDE. Secure Remote Control for IT Support Organizations

INSIDE

INSIDE

Secure Remote Control for IT Support Organizations

Contents

∆

Executive Summary

∆

Security Concerns Limit Acceptance of Remote Control Software

∆

Security Requirements of Remote Control Software

∆

Symantec pcAnywhere

10.0

Provides Secure Remote Control

∆

Conclusion

∆

Reference