This section describes recommended practices for remote administration.
Use of any remote
administration applications can cause adverse effects during load.
Use of remote
administration tools that employ encryption can impact server performance. The
performance level impact is tied to the level of encryption used. More
encryption results in more impact to the server performance.
Terminal Services permits users to
remotely execute applications on Microsoft Windows Server 2008 R2 from a wide
range of devices over virtually any type of network connection. It can be
enabled to run in either Application Server or Remote Administration modes.
Unified ICM/ Unified CCE only supports Remote
Remote Desktop can be used for remote
administration of ICM-CCE-CCH server. The mstsc command
connects to the local console session.
Remote Desktop Console session, you can:
Run Script Editor, though the
recommended approach is to use Internet Script Editor
Remote Desktop is not supported for software installation or upgrade.
you apply Cisco ICM Security Hardening to your system, then you must upgrade
your Remote Desktop Clients to 5.2 or later. Remote Desktop Client 5.2 or later
is required to connect to a server with FIPS Compliant algorithms enabled.
Older versions of Remote Desktop client do not support FIPS compliant
algorithms which the Cisco Unified ICM Security Hardening utility
enables. For more information about FIPS compliant algorithms and security
settings, see the Microsoft Knowledge Base articles KB 11770 and
Communication between the server and the client will use native Remote
Desktop Protocol (RDP) encryption. By default, all data sent is protected by
encryption based on the maximum key strength supported by the client.
RDP is the preferred remote control protocol due to its security and
low impact on performance.
Windows Server 2008 R2 Terminal Services provides the ability to connect
to and shadow a console session thereby replacing the need to pcAnywhere or
VNC. To launch from the Windows Command Prompt, enter:
Remote Desktop client prior to 6.0:
mstsc /v:<server[:port]> /console
Secure RDP-TCP connection
Use the following procedure to set up the properties of the terminal server RDP-TCP
connection to provide better protection.
Run Terminal Services Configurator.
Select Connections, and then select RDP-TCP.
Restrict the number of client sessions that can remain active on
From the Network Adapter tab, select Maximum
connections and set the limit on the number of concurrent
Set session time limits.
From the Sessions tab, check the first check box of the three Override User
Settings check boxes, and set values for each of the following (all values are
recommendations; use values that work best within your organization):
End a disconnected session: 1 or 5 minutes
Active session limit: 1 or 2 days
Idle session limit: 30 minutes
Set permissions for users and groups on the terminal server.
Use the Permissions tab to add users, groups and computers access
limits and permissions. Click
Add, select the user, group or computer
name, and then set one of the following three basic permissions:
Full Control (given to administrators and the system; allows
logging onto the terminal server, modifying the connection parameters,
connecting to a session, getting session information, resetting or ending a
session, logging off other users, remotely controlling other users'
sessions, sending messages to other users, and disconnecting sessions).
User Access (given to ordinary users; allows logging onto the
terminal server, getting session information, connecting to a session or sending
messages to other user sessions).
Optionally, restrict reconnections of a disconnected session to
the client computer from which the user originally connected.
From the Sessions tab, check the last of three Override User
Settings check boxes and set Allow reconnection from previous client.
Optionally, configure encryption levels to High.
From the General tab, set Encryption level to High. Use this
option only if there is a risk of unauthorized monitoring of the
Per-User terminal services settings
Use the following procedure to set up a number of per-user terminal services settings for
Using Active Directory Users and Computers, right-click a user
and then select Properties.
On the Terminal Services Profile tab, set a user's right to
logon to terminal server by checking the Allow logon to terminal server
check box. Optionally, create a profile and set a path to a terminal services
On the Sessions tab, set session active and idle time outs.
On the Remote Control tab, set whether a remote session can be
remotely viewed and controlled by administrators and whether a user's
permission is required.
The following discussion applies to all approved versions
Security is one of the most important considerations in implementing a
remote control solution.
pcAnywhere addresses security in the following ways:
Restricting access to internal machines
Preventing unauthorized connections to a pcAnywhere host
Protecting the data stream during a remote control session
Preventing unauthorized changes to the installed product
One of the best ways to
ensure security is to restrict connections from outside your organization.
pcAnywhere is the only remote control product to provide the following ways to
accomplish this objective:
Limiting connections to a
specific TCP/IP address range: pcAnywhere hosts can be configured to only accept
TCP/IP connections that fall within a specified range of addresses.
Serialization: A feature that enables the embedding of a
security code into the pcAnywhere host and remote objects created. This
security code must be present on both ends for a connection to be made.
Unauthorized connections to a pcAnywhere host
The first line of defense in creating a secure remote computing
environment is to prevent unauthorized users from connecting to the host.
pcAnywhere provides a number of security features to help you achieve this
Authentication is the process of taking a user's
credentials and verifying them against a directory or access list to determine
if the user is authorized to connect to the system.
pcAnywhere now requires a password for all host sessions. This
security feature prevents users from inadvertently launching an unprotected
Callback security (for dial-up connections)
pcAnywhere lets dial-up users specify a call-back number for
remote control sessions. In a normal pcAnywhere session, the remote connects to
the host, and the session begins. When callback is enabled, the remote calls
the host, but then the host drops the connection and calls back the remote at
the specified phone number.
Table 1 General pcAnywhere security settings
Restrict connections after an end of session
With pcAnywhere, host users can prevent remote users from
reconnecting to the host if the session is stopped due to a normal or abnormal
end of session.
Wait for anyone
and secure by
Table 2 Security options - connection options
Prompt to confirm connection
This feature prompts the host user to acknowledge the remote
caller and permit or reject the connection. By enabling this feature, users can
know when someone is connecting to their host computer. This will depend on the
remote administration policy of whether users must be physically present at the
server being remotely accessed.
Table 3 Security options - login options
Make password case sensitive
Lets you use a combination of uppercase and lowercase letters
in a password. This setting applies to pcAnywhere Authentication only.
Limit login attempts per call
pcAnywhere lets host users limit the number of times a remote
user can attempt to login during a single session to protect against hacker
Limit time to complete login
Similarly, host users can limit the amount of time that a
remote user has to complete a login to protect against hacker and denial of
Table 4 Security options - session options
Disconnect if inactive
Limits time of connection. pcAnywhere lets host users limit
the amount of time that a remote caller can stay connected to the host to
protect against denial of service attacks and improper use.
Data stream protection during remote control session
Encryption prevents the data stream (including the authorization
process) from being viewed using readily available tools.
pcAnywhere offers three levels of encryption:
Public key encryption
Table 5 Encryption configuration
Lists the following encryption options:
None: Sends data without encrypting it.
pcAnywhere encoding: Scrambles the data using a
mathematical algorithm so that it cannot be easily interpreted by a third
Symmetric: Encrypts and decrypts data using a
Public key: Encrypts and decrypts data using a
cryptographic key. Both the sender and recipient must have a digital
certificate and an associated public/private key pair.
Deny lower encryption level
Refuses a connection with a computer that uses a lower level
of encryption than the one you selected.
Encrypt user ID and password only
Encrypts only the remote user's identity during the
authorization process. This option is less secure than encrypting an entire
Unauthorized changes to installed product
Integrity checking is a feature that, when enabled, verifies that
the host and remote objects, DLL files, executables, and registry settings have
not been changed since the initial installation. If pcAnywhere detects changes
to these files on a computer, pcAnywhere will not run. This security feature
guards against hacker attacks and employee changes that might hurt
Identifying security risks
The Symantec Remote Access Perimeter Scanner (RAPS)
lets administrators scan their network and telephone lines to identify
unprotected remote access hosts and plug security holes. This tool provides
administrators with a way to access the vulnerability of their network in terms
of remote access products. Using RAPS, you can automatically shut down an
active pcAnywhere host that is not password protected and inform the
Event logging during remote control session
can log every file and program that is accessed during a remote control session
for security and auditing purposes. Previous versions only tracked specific
pcAnywhere tasks such as login attempts and activity within pcAnywhere. The
centralized logging features in pcAnywhere let you log events to pcAnywhere
log, NT Event Log (NT, Windows Server 2008 R2), or an SNMP monitor.
SSH Server allows the use of VNC through an
encrypted tunnel to create secure remote control sessions. However, this
configuration is currently not supported by Cisco. The performance impact of
running an SSH server has not been determined.
1 Refer to the Bill of Materials for the versions qualified and
approved for your release of ICM.