This section describes recommended practices for remote administration.
Use of any remote administration applications can cause adverse effects during load.
Use of remote administration tools that employ encryption can impact server performance. The performance level impact is tied to the level of encryption used. More encryption results in more impact to the server performance.
Terminal Services permits users to remotely execute applications on Microsoft Windows Server 2008 R2 from a wide range of devices over virtually any type of network connection. It can be enabled to run in either Application Server or Remote Administration modes. Unified ICM/ Unified CCE only supports Remote Administration mode.
Remote Desktop can be used for remote administration of ICM-CCE-CCH server. The mstsc command connects to the local console session.
Using the Remote Desktop Console session, you can:
Run Configuration Tools
Run Script Editor, though the recommended approach is to use Internet Script Editor
Remote Desktop is not supported for software installation or upgrade.
If you apply Cisco ICM Security Hardening to your system, then you must upgrade your Remote Desktop Clients to 5.2 or later. Remote Desktop Client 5.2 or later is required to connect to a server with FIPS Compliant algorithms enabled. Older versions of Remote Desktop client do not support FIPS compliant algorithms which the Cisco Unified ICM Security Hardening utility enables. For more information about FIPS compliant algorithms and security settings, see the Microsoft Knowledge Base articles KB 11770 and KB 81183.
Communication between the server and the client will use native Remote Desktop Protocol (RDP) encryption. By default, all data sent is protected by encryption based on the maximum key strength supported by the client.
RDP is the preferred remote control protocol due to its security and low impact on performance.
Windows Server 2008 R2 Terminal Services provides the ability to connect to and shadow a console session thereby replacing the need to pcAnywhere or VNC. To launch from the Windows Command Prompt, enter:
Remote Desktop client prior to 6.0: mstsc /v:<server[:port]> /console
Secure RDP-TCP connection
Use the following procedure to set up the properties of the terminal server RDP-TCP connection to provide better protection.
Run Terminal Services Configurator.
Select Connections, and then select RDP-TCP.
Restrict the number of client sessions that can remain active on the server.
From the Network Adapter tab, select Maximum connections and set the limit on the number of concurrent connections.
Set session time limits.
From the Sessions tab, check the first check box of the three Override User Settings check boxes, and set values for each of the following (all values are recommendations; use values that work best within your organization):
End a disconnected session: 1 or 5 minutes
Active session limit: 1 or 2 days
Idle session limit: 30 minutes
Set permissions for users and groups on the terminal server.
Use the Permissions tab to add users, groups and computers access limits and permissions. Click Add, select the user, group or computer name, and then set one of the following three basic permissions:
Full Control (given to administrators and the system; allows logging onto the terminal server, modifying the connection parameters, connecting to a session, getting session information, resetting or ending a session, logging off other users, remotely controlling other users' sessions, sending messages to other users, and disconnecting sessions).
User Access (given to ordinary users; allows logging onto the terminal server, getting session information, connecting to a session or sending messages to other user sessions).
Optionally, restrict reconnections of a disconnected session to the client computer from which the user originally connected.
From the Sessions tab, check the last of three Override User Settings check boxes and set Allow reconnection from previous client.
Optionally, configure encryption levels to High.
From the General tab, set Encryption level to High. Use this option only if there is a risk of unauthorized monitoring of the communications.
Per-User terminal services settings
Use the following procedure to set up a number of per-user terminal services settings for each user.
Using Active Directory Users and Computers, right-click a user and then select Properties.
On the Terminal Services Profile tab, set a user's right to logon to terminal server by checking the Allow logon to terminal server check box. Optionally, create a profile and set a path to a terminal services home directory.
On the Sessions tab, set session active and idle time outs.
On the Remote Control tab, set whether a remote session can be remotely viewed and controlled by administrators and whether a user's permission is required.
The following discussion applies to all approved versions of pcAnywhere.1
Security is one of the most important considerations in implementing a remote control solution.
pcAnywhere addresses security in the following ways:
Restricting access to internal machines
Preventing unauthorized connections to a pcAnywhere host
Protecting the data stream during a remote control session
Preventing unauthorized changes to the installed product
One of the best ways to ensure security is to restrict connections from outside your organization. pcAnywhere is the only remote control product to provide the following ways to accomplish this objective:
Limiting connections to a specific TCP/IP address range: pcAnywhere hosts can be configured to only accept TCP/IP connections that fall within a specified range of addresses.
Serialization: A feature that enables the embedding of a security code into the pcAnywhere host and remote objects created. This security code must be present on both ends for a connection to be made.
Unauthorized connections to a pcAnywhere host
The first line of defense in creating a secure remote computing environment is to prevent unauthorized users from connecting to the host. pcAnywhere provides a number of security features to help you achieve this objective.
Authentication is the process of taking a user's credentials and verifying them against a directory or access list to determine if the user is authorized to connect to the system.
pcAnywhere now requires a password for all host sessions. This security feature prevents users from inadvertently launching an unprotected host session.
Callback security (for dial-up connections)
pcAnywhere lets dial-up users specify a call-back number for remote control sessions. In a normal pcAnywhere session, the remote connects to the host, and the session begins. When callback is enabled, the remote calls the host, but then the host drops the connection and calls back the remote at the specified phone number.
Table 1 General pcAnywhere security settings
Restrict connections after an end of session
With pcAnywhere, host users can prevent remote users from reconnecting to the host if the session is stopped due to a normal or abnormal end of session.
Wait for anyone
and secure by
Table 2 Security options - connection options
Prompt to confirm connection
This feature prompts the host user to acknowledge the remote caller and permit or reject the connection. By enabling this feature, users can know when someone is connecting to their host computer. This will depend on the remote administration policy of whether users must be physically present at the server being remotely accessed.
Table 3 Security options - login options
Make password case sensitive
Lets you use a combination of uppercase and lowercase letters in a password. This setting applies to pcAnywhere Authentication only.
Limit login attempts per call
pcAnywhere lets host users limit the number of times a remote user can attempt to login during a single session to protect against hacker attacks.
Limit time to complete login
Similarly, host users can limit the amount of time that a remote user has to complete a login to protect against hacker and denial of service attacks.
Table 4 Security options - session options
Disconnect if inactive
Limits time of connection. pcAnywhere lets host users limit the amount of time that a remote caller can stay connected to the host to protect against denial of service attacks and improper use.
Data stream protection during remote control session
Encryption prevents the data stream (including the authorization process) from being viewed using readily available tools.
pcAnywhere offers three levels of encryption:
Public key encryption
Table 5 Encryption configuration
Lists the following encryption options:
None: Sends data without encrypting it.
pcAnywhere encoding: Scrambles the data using a mathematical algorithm so that it cannot be easily interpreted by a third party.
Symmetric: Encrypts and decrypts data using a cryptographic key.
Public key: Encrypts and decrypts data using a cryptographic key. Both the sender and recipient must have a digital certificate and an associated public/private key pair.
Deny lower encryption level
Refuses a connection with a computer that uses a lower level of encryption than the one you selected.
Encrypt user ID and password only
Encrypts only the remote user's identity during the authorization process. This option is less secure than encrypting an entire session.
Unauthorized changes to installed product
Integrity checking is a feature that, when enabled, verifies that the host and remote objects, DLL files, executables, and registry settings have not been changed since the initial installation. If pcAnywhere detects changes to these files on a computer, pcAnywhere will not run. This security feature guards against hacker attacks and employee changes that might hurt security.
Identifying security risks
The Symantec Remote Access Perimeter Scanner (RAPS) lets administrators scan their network and telephone lines to identify unprotected remote access hosts and plug security holes. This tool provides administrators with a way to access the vulnerability of their network in terms of remote access products. Using RAPS, you can automatically shut down an active pcAnywhere host that is not password protected and inform the user.
Event logging during remote control session
You can log every file and program that is accessed during a remote control session for security and auditing purposes. Previous versions only tracked specific pcAnywhere tasks such as login attempts and activity within pcAnywhere. The centralized logging features in pcAnywhere let you log events to pcAnywhere log, NT Event Log (NT, Windows Server 2008 R2), or an SNMP monitor.
SSH Server allows the use of VNC through an encrypted tunnel to create secure remote control sessions. However, this configuration is currently not supported by Cisco. The performance impact of running an SSH server has not been determined.
1 Refer to the Bill of Materials for the versions qualified and approved for your release of ICM.