I've done this before on the wild wild Internet (actually only to support some family and friends PCs :)) and we actually run pcAnywhere on our NT 4.0 machines here at work (internal-network only, but I am extremely paranoid :)). You shouldn't really *need* to spend the $$$ to get a VPN setup going. pcAnywhere is fairly secure assuming you have a patched and up-to-date OS and the correct settings...
There are a few things you can do on the pcAnywhere side: a) Make sure you have the latest version of pcAnywhere (or at least the latest update to the version you are running) b) Use only TCP/IP c) Set it so at "Abnomal End of Session" and "End of Session" it will "Wait for anyone" but secure by either "Logoff user" or "Lock NT workstation" (these settings can be found under the "Settings" tab of the host connection you have set up). d) Use Windows authentication with Windows privileges (or use pcAnywhere authentication with pcAnywhere privileges...but the security gain is negligible) e) Under "Security Options" set it so it will "Blank PC screen after connection" - in case your cleaning people are hanging out watching you and your sensitive data. f) Set the encryption level to the highest available without having to use a public key system, which is "Symmetric" and check "Deny Lower Encryption Level" (be sure to tell your employee to set this on his client connection, otherwise he'll get blocked since the client pcAnywhere defaults to a lower encryption level) - this uses a bit more CPU but your session will be nicely encrypted. g) Be sure to set up your "Login options" so you can limit login attempts, etc. h) Make it so the keyboard is only active remotely when a session is enabled...this will prevent tampering. i) Lastly (on the pcAnywhere side) be sure to password protect the configuration screen so no one monkeys with your "locked down" config. If you have the luxury of a firewall only allow pcAnywhere's port(s) through (5631 and 5632 by default, but you can change it here: http://service1.symantec.com/SUPPORT/pca.nsf/docid/2001021417112312)...if not, a personal firewall should be ok. Since you have this on the internal network you'll need to open up those two ports (or whatever ports you designate) to your internal host. If you do not know how to do this it is another huge post that I would have to go into. :) But dependent on what firewall/router you use it could be fairly straightforward and easy - check their site. No matter what (whether it be hardware firewall, NAT-only, or software-based personal firewall), be sure you are up to date with the latest service packs/hotfixes - www.microsoft.com/technet/security. If you're running Windows 2000 or Windows XP go ahead and use Terminal Services. It is much better integrated and set it for 128-bit encryption and the security is there. pcAnywhere doesn't work very well on W2K/XP anyway. On NT 4.0 pcAnywhere is quite nice...and I am pleased with its performance. There are, of course, a lot of other options out there (SSH, NetSupport, VNC to name a few) but if you already have pcAnywhere bought and paid for it is a good product for your needs and users seem to like it and find it fairly easy to use/understand. Lots of good information here (dependent on what ver. you are using): http://www.symantec.com/techsupp/enterprise/products/pca/pca_105/index.html http://www.symantec.com/techsupp/enterprise/products/pca/pca_10/index.html http://www.symantec.com/techsupp/enterprise/products/pca/discontinued.html Good luck... Eric securitybasics@p lumlee.org To: [EMAIL PROTECTED] cc: 07/22/2002 03:34 Subject: PCanywhere: security of it and operation over DSL/cable PM modems We have a workstation at the office that needs to allow a user remote access for running software on the workstation. I don't think a VPN will work because the user MUST run the software on this machine, as if he was seated at it. I'm looking at gotomypc.com and pcanywhere. I don't feel comfortable using gotomypc.com as this is proprietary company information and I don't trust someone else having the access information for the workstation that has the info on it. My questions are as follows: 1. Has anyone got experience with the security of PCanywhere running over a DSL/cable modem connection? What should I watch out for? From what I understand, I can use HTTPS as one of the options for the connection. Anyone know the encryption level? Are all parts of the transactions secured with encryption? 2. How does the software work if it's over a broadband connection? My internal IPs aren't valid for routing. How does the software know a connection is being initiated? 3. Any better solutions come to mind? I'd rather have a PITA setup that's secure than a simple one that's not. 4. What security measures should I implement on the users PC to make sure that it's secure as well? I won't have physical access to it but for the initial setup. I'll be interested in seeing if this gets posted at all due to the recent acquisition of securityfocus by Symantec. Can't bite the hand that feeds you, I guess. Many thanks for any help. Long time reader (well, several months at least), first time poster.
