4.1 Security On Windows Devices

4.1.1 Authentication

The Remote Management service must be installed on a device for the remote operator to remotely manage the device. The service automatically starts when the managed device boots up. When a remote operator initiates a remote session on the managed device, the service starts the remote session only if the remote operator is authorized to perform remote operations on the managed device.

To prevent unauthorized access to the managed device, the Remote Management service on the managed device uses the following modes of authentication:

Rights-Based Remote Management Authentication

In rights-based authentication, rights are assigned to the remote operator to launch a remote session on the managed device. By default, the ZENworks administrator and the super administrator have rights to perform remote operations on all the managed devices regardless of whether the local user or the ZENworks user is logged in to the device.

The remote operator does not need any exclusive rights to perform a remote session on the managed device if no user has logged in to the managed device or if a user has logged in to the managed device but not in to ZENworks. However, the remote operator needs exclusive Remote Management rights to perform the remote operation on the managed device when a ZENworks user has logged in to the device. We strongly recommend that you use the rights-based authentication because it is safe and secure.

Using rights-based authentication requires the ZENworks Adaptive Agent to be installed on the device. Installing only the Remote Management service on the device is not sufficient.

This mode of authentication is not supported when launching remote management operation in the standalone mode or from the command line.

Password-Based Remote Management Authentication

In password-based authentication, the remote operator is prompted to enter a password to launch the remote session on the managed device.

The two types of password authentication schemes used are:

  • ZENworks Password: This scheme is based on the Secure Remote Password (SRP) protocol (version 6a). The maximum length of a ZENworks password is 255 characters.

  • VNC Password: This is the traditional VNC password authentication scheme. The maximum length of a VNC password is 8 characters. This password scheme is inherently weak and is provided only for interoperability with the open source components.

If you use password-based authentication, we strongly recommend that you use the ZENworks Password scheme because it is safer and more secure than the VNC Password scheme.

The password schemes operate in the following modes:

  • Session Mode: The password set in this mode is valid only for the current session. The user on the managed device must set a password at the start of the remote session and communicate the password to the remote operator through out-of-band means such as telephone. When initializing a remote session with the managed device, the remote operator must enter the correct password in the session password dialog box that displays. If the remote operator fails to enter the correct password within two minutes after the dialog box is displayed, then the session closes for security reasons. If you use password-based authentication, we strongly recommend that you use this mode of authentication because the password is valid only for the current session and is not saved on the managed device.

  • Persistent Mode: In this mode, the password can be set by the administrator through the Remote Management policy or by the managed device user through the ZENworks icon if the Allow user to override default passwords on managed device option is selected in the security settings of the Remote Management policy.

    If the password is set both by the managed device user and in the policy, the password set by the user takes precedence over the password configured in the policy.

    The administrator can prevent the managed device user from setting the password and can even reset the password set by the user to ensure that the password configured in the policy is always enforced during authentication. For more information on resetting the password set by the managed device user, see Clearing the Remote Management Password Using ZENworks Control Center.

4.1.2 Password Strength

Use secure passwords. Keep the following guidelines in mind:

  • Length: The minimum recommended length is 6 characters. A secure password is at least 8 characters; longer passwords are better. The maximum length is 255 characters for a ZENworks password and 8 characters for a VNC password.

  • Complexity: A secure password contains a mix of letters and numbers. It should contain both uppercase and lowercase letters and at least one numeric character. Adding numbers to passwords, especially when they are added to the middle and not just at the beginning or the end, can enhance password strength. Special characters such as &, *, $, and > can greatly improve the strength of a password. Do not use recognizable words such as proper names or words from a dictionary, and do not use personal information such as phone numbers, birth dates, anniversary dates, addresses, or ZIP codes.

4.1.3 Ports

By default, the Remote Management service runs on port 5950 and the Remote Management Listener runs on port 5550. The firewall is configured to allow any port used by the Remote Management service, but you need to configure the firewall to allow the port used by the Remote Management Listener.

By default, the remote management proxy listens on port 5750.

4.1.4 Audit

ZENworks Configuration Management maintains a log of all the remote sessions performed on the managed device. This log is maintained on the managed device and can be viewed by the user and an administrator who is a member of the administrators group of the managed device. The administrator can view the logs of all the remote sessions performed on the device. The user can view the logs of all the remote sessions performed on the device when he or she was logged in.

To view the audit log:

  1. Double-click the ZENworks icon in the notification area of the managed device.

  2. In the left pane, navigate to Remote Management, then click Security.

  3. Click Display Audit Information to display the audit information of the remote operations performed on the device.

    Field

    Description

    ZENworks User

    Name of the ZENworks user logged in to the managed device at the start of the remote session.

    Remote Operator

    Name of the remote operator who performed the operation.

    Console Machine

    Host name of the device from which the remote operation was performed.

    Console IP

    IP address of the device from which the remote operation was performed.

    NOTE:If the remote management operation of the device is routed through a Remote Management proxy, the IP address of the device that is running the proxy is displayed.

    Operation

    The type of operation performed: Remote Control, Remote Execute, Remote View, Remote Diagnostics, File Transfer.

    Start Time

    The time when the remote operation started.

    End Time

    The time when the remote operation completed.

    Status

    The status of the remote operation: Success, Running, or Failure. The cause of the failure is also displayed.

4.1.5 Ask Permission from the User on the Managed Device

The administrator can configure the Remote Management policy to enable the remote operators to request permission from the user on the managed device before starting a remote operation on the device.

When the remote operator initiates a remote session on the managed device, the Remote Management service checks if the Ask permission from user on managed device option for that remote operation is enabled in the policy effective on the device. If the option is enabled and no user has logged in the device, the remote session proceeds. But, if the option is enabled and a user has logged in the managed device, then a message configured in the Remote Management policy is displayed to the user requesting permission to launch a remote session on the device. The session starts only if the user grants permission.

4.1.6 Abnormal Termination

When a remote session is abruptly disconnected, the abnormal termination feature lets you lock the managed device or log out the user on the managed device, depending on the configuration in the security settings of the Remote Management policy. The remote session terminates abnormally under the following circumstances:

  • The networks fails and the Remote Management viewer and the Remote Management service are unable to communicate

  • The Remote Management viewer is closed abruptly through the task manager.

  • The network is disabled either on the managed device or on the management console.

Under some circumstances, the Remote Management service might take up to one minute to determine the abnormal termination of the session.

4.1.7 Intruder Detection

The Intruder Detection feature significantly lowers the risk of the managed device being hacked. If the remote operator fails to log in to the managed device within the specified number of attempts (the default is 5), the Remote Management service is blocked and does not accept any remote session request until it is unblocked. The administrator can unblock the Remote Management service either manually or automatically.

Automatically Unblocking the Remote Management Service

The Remote Management service is automatically unblocked after the duration of the time specified in the Automatically start accepting connections after [] minutes option in the Remote Management policy. The default time is10 minutes. You can change the default time in the security settings of the Remote Management policy.

Manually Unblocking the Remote Management Service

You can manually unblock the Remote Management service from the managed device or from ZENworks Control Center.

To unblock the Remote Management service from ZENworks Control Center, the remote operator must have Unblock Remote Management Service rights over the managed device.

  1. In ZENworks Control Center, click Devices.

  2. Click Servers or Workstations to display the list of managed devices.

  3. Select the device to unlock.

  4. Click Action, then click Unblock Remote Management.

  5. Click OK.

To unblock the Remote Management service from the managed device:

  1. Double-click the ZENworks icon in the notification area of the managed device.

  2. In the left pane, navigate to the Remote Management, then click Security.

  3. Click Enable Accepting Connections if Currently blocked due to Intruder Detection.

4.1.8 Remote Operator Identification

When a remote operator launches a remote session from ZENworks Control Center, a certificate that helps the managed device to identify the remote operator is automatically generated. However, if the remote operator launches the session in a standalone mode, the certificate is not generated and the remote operator is recorded as An Unknown User in the audit logs, the Visible Signal and the Ask User Permission dialog box. The Remote Management service retrieves the identity of the remote operator by using the certificate provided by the management console during the Secure Socket Layer (SSL) handshake. The SSL handshake happens for all the types of authentication except for the VNC password authentication.

The Remote Management service on the device displays the details of the remote operator in the visible signal dialog box, if the Give Visible Signal to the User on the Managed Device option is enabled in the policy effective on the device. It also logs the information about the remote operator in the Remote Management Audit logs.

4.1.9 Browser Configuration

If you use Internet Explorer to remotely manage devices, then turn off the Protected mode in the security settings of the browser (Tools > Internet Options > Security).

Ensure that the ZENworks Control Center server is added to the list of trusted sites.

4.1.10 Session Security

ZENworks Configuration Management uses Secure Socket Layer (SSL) to secure remote sessions. However, the remote sessions launched using the VNC password-based authentication are not secured. The authentication process happens over a secure channel as the SSL handshake takes place regardless of whether session encryption is configured in the Remote Management policy or not.

After the authentication is complete, the remote session switches to an insecure mode if the Enable Session Encryption option is disabled in the Remote Management policy and if the Session Encryption option is disabled by the remote operator while initiating a remote session on the managed device. However, we recommend that you continue the session in a secure mode because there is no major impact on the performance of the session.

SSL Handshake

When the ZENworks Adaptive Agent is installed on a managed device, the Remote Management service generates a self-signed certificate that is valid for 10 years.

When a remote operator initiates a remote session on the managed device, the Remote Management viewer prompts the remote operator to verify the managed device certificate. The certificate displays details such as name of the managed device, certificate issuing authority, the validity of the certificate, and the fingerprint. For security reasons, the remote operator must verify the credentials of the managed device by matching the fingerprint of the certificate against the fingerprint communicated by the managed device user through out-of-band means. Then, the remote operator can do one of the following:

  • Accept the certificate permanently: If a user who has logged in to the management console accepts the certificate permanently, then the certificate is not displayed in the subsequent remote sessions initiated by the users logged in that console.

  • Accept the certificate temporarily: If a user who has logged in to the management console accepts the certificate temporarily, the certificate is accepted only for the current session. The user is prompted to verify the certificate the next time a connection is initiated to the managed device.

  • Reject the certificate: If a user who has logged in to the management console rejects the certificate, the remote session terminates.

Certificate Regeneration

The managed device regenerates a new self-signed certificate if:

  • The name of the managed device has changed

  • The certificate is postdated and is not currently valid

  • The certificate has expired

  • The certificate is about to expire

  • The certificate is missing

By default, the certificate is regenerated once in every 10 years.