This document details the enhanced security changes made in pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7, how key areas of these enhancements work, and some of the steps that users should take to reduce security risks.
TCP/IP connections are now secured with SSL using 256- or 128-bit encryption. A “None” option is also provided to omit encryption; however, data integrity checks are still made.
Symantec recommends using the default 256-bit encryption for optimal security. The 128-bit and “None” options are provided for performance-sensitive secure environments.
pcAnywhere Quick Connect will not connect unless the host is configured for AES 256 encryption.
pcAnywhere uses self-signed SSL certificates. Two key files are used: host.key and host.cer. Host.key contains the private key and Host.cer contains the X.509 certificate that contains the public key. The private key is protected by ACLs that only allow administrators, power users, and SYSTEM to access it.
Warning: The private key file must be protected.
If an unauthorized person gains access to the private key file they may be able to either masquerade as the host or perpetrate a man-in-the-middle (MITM) attack on anyone who attempts to remotely control a host.
If you suspect that the host private key has been compromised, you can generate a new one by completing the following steps:
For instructions, see the “Trusted Certificates list” section of this document.
During this process, when the host is started and the key files are not present, a new set is generated automatically.
SSL thumbprint verification is used by remote users to validate the authenticity of the host. This verification must be done in order to create a secure connection between the remote and the host and to protect against a MITM attack.
By default, when a remote user attempts to connect to a host via TCP/IP, that user will be presented with a dialog box that displays the thumbprint of the public key of the host. The remote user should match the thumbprint in this dialog box to that of the host.
This thumbprint is not secret. It can be printed, emailed, or communicated over the phone. The thumbprint is stored in the host directory in cert.thumbprint.txt.
If the remote user accepts the host certificate by clicking Accept Always, the host’s public key is stored locally in the Trusted Certificates list and will be accepted automatically for future connections. For more information about the Trusted Certificates list, see the “Trusted Certificates List” section in this document.
A new 256-bit encryption level is now provided for modem communications. Symantec recommends using the new encryption level. Symantec recommends only using lower levels of encryption if security is of less or no importance, though these options may have better performance in some environments.
The security used for modem communication does not include a thumbprint validation step and is therefore susceptible to host impersonation or MITM attacks. To perpetrate one of these attacks, the attacker must be able to actively manipulate signals on the telephone line. If the attacker can only observe the communication on the line, there is no vulnerability.
The default timeout has increased from 10 to 30 seconds.
AES256 is the default encryption level for all connections. Symantec recommends checking the security default settings manually. To check the security default settings, complete the steps in this section.
Also, in the case that you upgraded to pcAnywhere 12.5 SP4 or pcAnywhere Solution 12.6.7, the Prompt to confirm connection setting will not be changed from what you had it set to before the upgrade. To set this setting and to check the other default settings, complete the steps in this section.
The host prompt to display TCP/IP session requests will only be displayed if the remote TCP/IP prompt is also selected and the remote user does not accept or cancel within five seconds.
The host prompt displays five seconds after it passes its public key to the remote computer. The session request will continue if the remote prompt is not set to present untrusted networks, the host’s certificate is already in the Trusted Certificates list, or the remote user chooses to Trust or Deny the connection within five seconds. When the connection continues, the host user is then prompted to confirm the connection by default.
|Step||Remote computer||Host computer|
|1||If Prompt when connecting over TCP/IP untrusted/unknown hosts is selected, the remote registers for callback using the ssl_ctx_set_verify API.|
|2||The remote initiates the connection by calling ssl_connect.|
|3||The host accepts the connection request by calling ssl_accept.|
|4||The host schedules the host thumbprint dialog to appear in 5 seconds.|
|5||If the remote registered for callback in step #1, the callback function on the remote is now called and the remote thumbprint dialog is displayed.
||*If the remote user chooses Deny, the connection will be aborted and the host thumbprint prompt will either not display if it is prior to the 5 second delay or will be closed automatically if it was displayed.
The Close button was included on the prompt so the remote user can close it. However, if the remote user clicks Trust or Deny, the connection continues or is aborted and the host prompt will close automatically.
|6||The handshake process continues and the connection is established.|
|7||If the host thumbprint window has not been displayed yet (there is a five-second delay), it is now cancelled so that it is not displayed.|
|8||The remote sends authentication information to the host.|
If the host is configured to prompt (host option #2), the dialog is presented at this time.
If the user on the host chooses Yes/Accept, the information is used to authenticate the user and the process continues.
If the user on the host chooses No/Deny, the connection is closed by the host.
The old certificate management has been removed. By default, the new trust system will prompt the remote administrator to set computer trust settings. If the administrator chooses Trust Always, the computer is added to the Trusted Certificates list and will not prompt the administrator when connecting to this same computer. If the administrator chooses Trust Once, during the next connection, the trust prompt will be displayed again.
Trusted Certificates List
The Trusted Certificates list is a file of trusted host computer certificates. This list is stored in the trusted_certs.PEM file. If you suspect the host private key has been compromised, you should delete the trusted_certs.PEM file. All hosts will need to be trusted again.
For instructions, see the following article:
When encryption is set to “None,” pcAnywhere passwords are sent in plain text.
In all cases, Symantec recommends that you do not use your domain administrator credentials for remote access. Instead, create a new security credential for the purpose of remote control. Symantec also recommends following standard password policies such as:
The host and remote configuration files are stored on-disk in an encrypted format. These files are encrypted with a key that is unique to each computer. If a computer is cloned from another computer that has pcAnywhere installed, the key will be the same and the computers will be able to read each other’s files.
By default, only administrators, power users, and SYSTEM have access to the host configuration files. Also by default, all users on the computer have access to the remote configuration files. Although these files are encrypted, they are not secure. Anyone who has access to these files may be able to decrypt the file and look at its contents. To secure any of these files, appropriate ACLs must be set on the file.
Note that no encryption is performed on Mac or Linux systems. Use file permissions to protect files on these systems.
By default, host and remote configuration files will be encrypted. If you wish to move one of these files to another computer, you must first remove the encryption using awFileMgr.exe.
After you remove the encryption, you can move the file to a new system and import it using the same tool. The import process encrypts the file with the key of the new computer.
For information on how to decrypt a host or caller file to send to support or use with Symantec Packager, see the following article:
Which users can run the host
Administrators and power users can run the host process. These users have access to all of the host configuration files, the private key, and the X.509 certificate.
Which users can run the remote
Any user who can log onto the box can run the remote. These users have access to all of the remote configuration files and the Trusted Certificates list.
Context of users running on the host
Remote users who are allowed to connect to a host may be able to make changes to the host system that would compromise the system. Some of the actions that a remote user can do only during a remote session include:
Note that when the host is running as a service, the prompt for credentials will appear. However, if the host is running as an application, credentials will not be requested.
In pcAnywhere 12.5 SP4 and pcAnywhere Solution 12.6.7, Access Server is not supported. pcAnywhere Access Server is not secure for Internet-based remote control sessions. As a result of the source code being exposed, Symantec no longer recommends using Access Server.
In the absence of Access Server, Symantec recommends that you use VPN for Internet-based remote control sessions.
The “Unable to attach to specified device” error message is displayed in a number of cases, including if there is mismatched host data port settings between the remote and host from mismatched versions of pcAnywhere. To determine the root of the problem, complete the following steps in order.
Vista or greater: C:\ProgramData\Symantec\pcAnywhere\Hosts
XP: C:\Documents and Settings\All Users\Application Data\Symantec\pcAnywhere\Hosts
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.