About security and encryption in Dameware Mini Remote Control
Dameware Mini Remote Control (MRC) has a variety of security and encryption features to help you comply with security guidelines.
MRC supports different authentication methods, three of which are integrated within the security of the operating system. You can define security policies within the operating system that allow or prevent users from establishing an unauthorized MRC connection to a remote system. MRC always authenticates locally to remote systems and does not increase or decrease the connected user's permissions in the operating system.
For example, if an MRC user has Administrator rights on the remote system when connecting to the system locally, the user will have Administrator rights when connecting remotely with MRC. MRC does not log users into the operating system of remote systems. Instead, it establishes a remote connection to the desktop of the remote system. If no user is currently logged in to the remote system, the MRC user must log in to the operating system as if they were connecting interactively.
MRC supports the following authentication methods:
- A proprietary challenge/response authentication method
- Windows NT Challenge/Response (OS-level)
- Encrypted Windows Logon (OS-level)
- Smart Card Logon (OS-level) authentication methods.
MRC includes features within the Dameware client agent service that can restrict MRC connections. To modify these settings, that user must have Administrator rights on the remote system.
The Dameware client agent service offers the following restriction options:
- Enable or disable specific authentication methods
- Specify and require an additional password, or shared secret, for MRC connections
- Limit MRC connections to users with administrative permissions
- Allow or deny MRC connections based on IPv4 filtering
- Restrict MRC connections to users within specific Windows security groups
The MRC program provides three logging features.
DWMRCS app event logs
Each time an MRC user connects to a remote system, MRC writes DWMRCS entries to the Application Event Log on the remote system for the following events:
- Attempts to connect
These DWMRCS Application Event Log entries contain connection information, along with specific information about the system the MRC user connected from and the username used to establish the MRC connection. For security reasons, this functionality cannot be disabled within the MRC program.
The Centralized Logging feature allows Administrators to send duplicate copies of the DWMRCS Application Event Log entries to a separate, independent centralized logging server. For this to work, the logging server and all remote systems must be running the Dameware client agent service.
The Email Notification feature sends an email every time MRC establishes a connection to that system.
MRC encrypts all credentials and other session negotiation information for its connections. MRC uses the Microsoft built-in Cryptographic Service Providers & CryptoAPIs to support strong encryption for authentication and session negotiation (key exchange). MRC uses multiple encryption algorithms (ciphers), and negotiates the strongest keys possible based on what the local and remote systems' Crypto Subsystem agree on.
MRC provides additional encryption options for general data, images, and Simple File Transfers.
MRC also includes RSA's BSAFE Crypto-C ME encryption modules, which are FIPS 140-2 level certified by the NIST. Federal Information Processing Standard 140-1 (FIPS 140-1) and its successor, FIPS 140-2, are US Government standards that provide a benchmark for implementing cryptographic software. MRC meets all Level 1 requirements for FIPS 140-2 compliance when operated in FIPS Mode. When you configure these options, MRC uses the BSAFE Crypto-C ME FIPS 140-2 validated cryptographic library exclusively, which only allows FIPS-approved algorithms.
When MRC is not running in FIPS Mode, MRC uses Microsoft's cryptographic services providers (CSPs) and CryptoAPIs exclusively. The Encryption Algorithms used can be anywhere from a minimum of RC4 (primarily used for older operating systems, such as NT4) to a maximum of AES 256. The following examples illustrate this range:
- AES 256 (Key length: 256 bits)
- 3DES/Triple DES (Key length: 192 bits)
- RC4 (Key length: 128 bits)
In addition to the encryption options in MRC, you can set the encryption restrictions on the Dameware client agent service. You can configure remote systems to allow only FIPS Mode connections, or require specific encryption options for all MRC connections.
The Dameware client agent service provides several Permission Required settings in the Agent Service Settings dialog box. When these settings are enabled, users who are logged into a target MRC system locally must allow incoming MRC connections. The client agent service can also prohibit non-administrative users from establishing a connection if no local user is logged on.
For MRC users connecting with non-administrator credentials, the following settings on the Access tab are enabled by default:
- Permission Required for these Account Types
- Disconnect if at Logon Desktop
- View only for these account types
The Permission Required setting on the Additional Settings tab applies to MRC users connecting with or without administrator credentials. If this setting is enabled and an MRC user attempts to connect to the remote system while another user is logged on, the logged on user must allow the MRC connection for it to be successful.