Chat now with support
Chat mit Support

KACE Desktop Authority 11.0 - ExpertAssist 8.7.1 User Guide

User Guide
Copyright TOC Overview User Interface Home Remote Control File Transfer Help Desk Chat Computer Management Computer Settings Server Functions Scheduling and Alerts Performance Monitoring Security Preferences Custom Pages WAP and PDA Interface About Us

SSL Setup

SSL Setup

If you set up SSL support for ExpertAssist, all traffic between the host and the remote computer will be encrypted using industry-strength 128-bit ciphers, protecting your passwords and data. The SSL certificates generated here are used for accessing the HTML-based administration module via HTTPS, and are also used by all virtual FTP servers to secure connections if using a suitable client. Because the SSL protocol is considered insecure as it is vulnerable to the POODLE attack, ExpertAssist in fact uses high secure TLS protocol. Make sure to enable the TLS 1.1 or 1.2 protocol in the browser for the computer where you will be connecting to the remote compute from.

Setting up SSL support for ExpertAssist is done in four easy steps:

  1. First, you must set up your Certificate Authority (CA). Select the Create a self-signed certificate item in the list at the top for the page and click the Continue button. This step will allow you to start creating a CA certificate, valid for nine years, and self-sign it. All of that you can do on the next page.
  2. On the next page simply fill out the form at the bottom of the page specifying your country code, your organization and your name. Some default values are provided here from your computer’s registry. This will configure the CA selected from the list at the top of the page. If you are creating a new CA, select the Create new CA.

As the second step on this page, you need to create the server certificate. Simply fill out the form at the bottom and click the Continue button to proceed. ExpertAssist will generate a certificate request, and sign it with the Certificate Authority selected at the top of the page. The certificate created this way will be valid for ten years. Click Continue at the bottom.

  1. The third step is optional: you can now install the CA certificate in your browser. This will suppress the message you'd otherwise get about the unknown Certificate Authority every time you make a secure connection to ExpertAssist. Click on the button to download the generated certificate to your computer so that you can install it in your browser.

That’s it. You are now ready to make a secure connection to ExpertAssist. Simply use a URL in the form of https://my.machine.here:2000.

You can use the same CA certificate on several machines, but you can't use the same server certificate in more than one place.

To use one CA certificate on a network of NT machines:

  1. Perform step one on the first machine.
  2. Copy the files CACert.pem, CAKey.pem and CACert.der in the ExpertAssist directory to the other machines.
  3. Continue SSL setup from step two on all other boxes. You only have to perform step three once in this case.

FIPS compliant cryptography

FIPS Compliant Cryptography

You can enable ExpertAssist to comply with Federal Information Processing Standard (FIPS) 140-1 cryptography policies. When enabled, ExpertAssist will accept only those connections from remote clients that comply with FIPS policies and use strong cipher suite of strong encryption algorithms TLS_RSA_WITH_3DES_EDE_CBC_SHA. In effect, this enables both the client (a computer where you access the remote computer from) and the server (remote computer where ExpertAssist runs on) organize a highly secure channel using the Transport Layer Security (TLS) protocol. Once the TLS is used and enabled to choose from the FIPS 140-1 standard’s security algorithms suite, this makes the strict use of certain algorithms for implementing certain operations.

Table 8: FIPS 140-1 standard’s security algorithms.

Algorithm

Usage

Triple DES (3DES)

Used to encrypt TLS traffic

Rivest, Shamir, and Adelman (RSA)

Public key algorithm used for exchanging TLS keys and authentication

Secure Hashing Algorithm 1 (SHA-1)

Used for TLS hashing

To inform the ExpertAssist that it should use only FIPS 140-1 compliant algorithms:

  1. Enable the following security policy for the remote computer within either Local Security Policy (LSP) or as a part of Group Policy System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

    This policy can be enabled under the Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ path for the LSP or Group Policy object (GPO).

    Note: To enable ExpertAssist using the FIPS 140-1 standard this security policy should be enabled on the remote computer where the ExpertAssist runs.

  2. When this policy is applied to the remote computer, you have to enable your client browser to use the TLS 1.1/1.2 protocol when accessing that remote computer. This enables your client browser to use that limited cipher suite of the algorithms that are required by the FIPS enabled remote computer. In other words, both the remote computer and your local computer should be able to use the only the FIPS compliant set of security algorithms. Enabling the FIPS security policy on the remote computer forces the ExpertAssist to accept only those connections and only from those clients that connect over the TLS protocol, and then apply cipher set restrictions on it. Enabling the client browser to use the TLS protocol you trigger the browser to negotiate the requirements determined by ExpertAssist.

    By default the TLS protocol supports the following cipher suites:

    • TLS_RSA_WITH_RC4_128_MD5
    • TLS_RSA_WITH_RC4_128_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    • TLS_RSA_WITH_DES_CBC_SHA
    • TLS_DHE_DSS_WITH_DES_CBC_SHA
    • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
    • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
    • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
    • TLS_RSA_EXPORT_WITH_RC4_40_MD5
    • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
    • TLS_RSA_WITH_NULL_MD5
    • TLS_RSA_WITH_NULL_SHA

    Enabling usage of TLS in the browser (the client), you enable it to work with all the specified cipher suites. Enabling the FIPS security policy on your remote computer you force the ExpertAssist (the server) to narrow the cipher suite scope down to the single FIPS compliant suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA.

    Note: If you see the ‘Internet Explorer cannot display the page’ when connecting to the remote computer enabled with FIPS policy this may indicate your browser does not have the TLS enabled. Make sure to enable the TLS 1.1/1.2 protocols in the browser for the computer where you will be connecting to the remote computer from.

To enable your browser use the TLS protocol:

  1. Tools|Internet Options in your browser and switch to the Advanced tab of the Internet Options dialog box.
  2. Scroll the Settings list to the very end and set the Use TLS 1.1 and Use TLS 1.2 checkboxes in the Security settings section.

You can enable the TLS 1.1/1.2 automatically on your client computers using Desktop Authority Manager functionality to apply registry changes.

To do that, set it to create the SecureProtocols REG_DWORD value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key on your client computers. Then set the SecureProtocols value to the corresponding mask. The following masks are available:

To do that, set it to create the SecureProtocols REG_DWORD value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key on your client computers. Then set the SecureProtocols value to the corresponding mask. The following mask is available:

Protocol

Mask (Decimal)

Mask (Hexadecimal)

TLSv1.1/TLSv1.2

2560

0xa00

If you want set all your clients to have both TLS 1.1 and TLS 1.2 enabled in their browsers, set the mask to 2560 (decimal) or 0xa00 (hexadecimal).

Once you connect with your browser from your local computer to the remote computer running ExpertAssist and enabled with FIPS policy, ExpertAssist will ask your browser to negotiate the TLS/SSL channel using the TLS_RSA_WITH_3DES_EDE_CBC_SHA suite. Since you enabled your browser to use the TLS, this cipher suite will be selected to organize a secure communication channel (a so called Schannel) matching the FIPS 140-1 standard between your computer and the remote computer.

Note: Please refer to http://msdn.microsoft.com/en-us/library/aa380123(VS.85).aspx for more information about the Schannel provider and its cipher suites.

Note: Since the FIPS policy is configured in the Computer Configuration part of the GPO and applied per computer object, enabling this policy will affect all the users and applications running on the remote computer.

Note: Some of the web sites that require you use secure HTTPS connection may not be FIPS compliant because they generally use the SSL3 protocol which uses a non-FIPS compliant MD5 hashing algorithm. Please see the following KB http://support.microsoft.com/kb/811834 to find out how you could enable the remote computer user to work with such sites if necessary.

Windows Password

Windows Password

Select Windows Password to change the current user's windows password. You must be able to enter the old password before it can be updated.

Preferences

Preferences

Appearance

If you select Appearance page under the Preferences object, you can tailor the look of ExpertAssist to your liking.

General Settings

Display perfviewer applet at the top of the screen

Enable/Disable the Java applet showing the current processor and memory utilization in the top frame.

Enable Tooltips

If you grow bored of the tooltips displayed by ExpertAssist, you can turn them off here.

Enable Icons

You can turn off most of the icons displayed on pages.

Default number of items per page for long lists

The number of records displayed per page on those where there are long lists (such as on the Event Viewer page).

Default number of items per WAP page

Most of the WAP devices out there have very small screens and limited memory. Also, some gateways might enforce size restrictions on the WML documents they compile for their devices. This configuration setting lets you specify the number of records to appear per WAP screen, where applicable. Such screens belong to the Services, Processes, and Drivers page.

Systray Settings

Display the ExpertAssist icon in the System Tray

If you don't want the ExpertAssist icon to be displayed in the notification area (system tray), you can disable it here. Right-clicking on this icon gives you access to a wealth of extra information, including a log of recent events and detailed performance data graphs. The computer must be restarted for this change to take effect.

Custom Pages

ExpertAssist is able to act as a simple HTTP daemon and serve files from the computer to the Web.

If you specify the root directory for the HTTP daemon, and the default index file, it will display the default index file from the web root specified.

Simply leave the directory field empty if you don't want to use custom pages.

Verwandte Dokumente