KACE Desktop Authority 11.1 - ExpertAssist User Guide

IP Address Lockout

With ExpertAssist’s IP Address Lockout feature you can detect and temporarily lock out potential intruders.

This security precaution allows you to configure two specific types of filter. These are called the Denial of Service Filter and the Authentication Attack Filter. The first is a precaution against unwanted intruders who slow your remote machine to a halt by continuously requesting the same service. The second locks out those who persistently try to get past your log-in screen without authorization.

The configuration for each is identical, although the default values differ due to the differences in the kind of attack they are designed to prevent.

Active

By ticking this checkbox you will enable this feature. This can be useful if your server is exposed to the Internet. IP Lockout will prevent people from gaining access to the administrator username and password using brute-force methods, or from tying up your services through relentless requests.

Number of invalid attempts before locking out

Specify the number of login attempts before a lockout occurs.

Reset invalid attempt counter after

After the amount of time specified in this box elapses, the invalid attempt count of the offending IP address will be reset to zero.

Lock out for

If there were a number of bad login attempts from the same IP address, as specified in the second field, within the time period specified in the reset count field, all attempted connections from the offending IP address will be rejected for the amount of time given here.

Bad login attempts and lockouts are logged in the DesktopAuthority.log file if you have logging enabled. Bad login attempts are also logged into User Management Logs.

IP Filtering

With ExpertAssist’s IP address filtering feature you can specify exactly which computers are allowed to access ExpertAssist on your system.

The simple interface on the Security > IP Filtering page lets you maintain IP address restrictions.

If the Profiles list is empty, then filtering is disabled.

How IP Filtering works

When an IP address is checked against a list, ExpertAssist goes from the first element of the list to the last, comparing the IP address against the item. If the item is a single IP address, it only matches the remote IP if they are equal. If the item is an IP address with a subnet mask, a logical AND operation is performed on the subnet mask and the remote IP address, and the result is checked against the item’s network address to see if the remote IP address is in fact on the network. If the item is a wildcard, the remote IP address is converted to its dotted textual representation and the two strings are compared.

When a match is found, ExpertAssist checks if it should allow or deny the connection, based on the allow/deny flag belonging to it. This result is then used to decide whether to let the connection proceed.

If no match is found, then the connection is allowed. If you would like all connections to be denied by default, except for those in the list, enter a DENY:* line as the last item on the list.

It is not possible for you to lock yourself out by accident when setting up IP address restrictions from afar, i.e. you can't enter a DENY:* clause into an empty list.

To add an IP Filtering:

1. Select the existing IP Filter and click Edit.
   Or,
   Type in the new IP Filter name in the Name edit box and click Add.
2. The Move Up, Delete, and Move Down buttons on the IP Filtering page for the selected filter let you manage already entered filters. Select one item in the list, and move it up or down with the appropriate buttons, or remove it altogether.

3. The Address and Subnet fields let you specify a new filtering item. You can enter the following:

   • A single IP address
   • An IP address with a subnet mask, essentially granting or denying access for a whole network.
   • An IP address with wildcards and no subnet mask. Accepted wildcards are an asterisk (*) that matches any number of characters, or a question mark (?), that matches a single character only.

4. The Allow and Deny options in the Type drop-down list let you specify whether you want to allow or deny access to the IP address or addresses entered.

Whenever a new connection is established to ExpertAssist, the remote IP address is checked against the filter or filters in the list, and access is granted or denied accordingly. The IP filters that you set up here apply to every connection received by ExpertAssist, except for those aimed at the Virtual FTP Server. To specify IP address restrictions specific to this module you will need to use its specific IP filtering options.

Examples

Example 1.

Allow connections from IP address 215.43.21.12 and the network 192.168.0.0/16, and deny all other connections:

ALLOW:215.43.21.12
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
DENY:*

Example 2.

Allow connections from IP address 215.43.21.12 and the network 192.168.0.0/16, but not from the address 192.168.0.12, and deny everything else:

ALLOW:215.43.21.12
DENY:192.168.0.12
ALLOW:192.168.0.0 (255.255.0.0) –OR- ALLOW:192.168.*
DENY:*

Please note that denying the connection from 192.168.0.12 comes before allowing connections to the 192.168.0.0/16 network. This is because if ExpertAssist was to find the ALLOW item first, it would let IP address 192.168.0.12 through, since it matches the condition. To prevent this, we make sure that the address 192.168.0.12 is checked before the network to which it belongs.

Example 3.

Allow all connections, except those coming from 192.168.0.12:

DENY:192.168.0.12

Example 4.

Deny all connections from the network 192.168.0.0/16 except for the subnet 192.168.12.0/24, and allow all other connections:

ALLOW:192.168.12.0 (255.255.255.0) –OR- ALLOW:192.168.12.*
DENY:192.168.0.0 (255.255.0.0) –OR- DENY:192.168.*

Yet again, ordering is crucial.

EA Logs

Here is where you view the ExpertAssist log files.

The active log file is at the top of the list and is named DesktopAuthority.log. Older logs are stored with the naming convention DAYYYYMMDD.log. For example, the ExpertAssist log file for June 1st 2018 would be called DA20180601.log.

You can enable or disable logging to text files as you will, but ExpertAssist will always log the following events to the Windows Application Log:

1. Service Start/Stop
2. Login/Logout
3. Remote Control Start/Stop
4. Telnet Login/Logout

The Application Log is used because of security considerations.

In addition, service start and stop events are always written to the DesktopAuthority.log file, no matter whether logging is enabled or disabled. You can modify the settings for these logs under the Log Settings page of the Preferences section.

The last entry in the log file list is Download all logs in one compressed file. Click this to create and download a single zipped package with all the log files above.

User Management Log

Use the User Management Log section to view the logs of the activities performed during each remote management session on the EA host you are currently managing via EA. These activities are, for example, a registry key creation, stopping/running services, remote control session data, etc. (To view the overall EA activities logs, use the EA Logs page.)

The user management logs feature the following:

• Store the records of the activities performed during remote management sessions during the period specified in the corresponding settings – 30 days by default.
• Are presented in a special secure ExpertAssist’s own file format — SLOG files;
• Are saved on an EA host (by default, to an EA installation directory: %ProgramFiles%\DesktopAuthority\useractions,
  or %ProgramFiles(x86)%\DesktopAuthority\useractions).
• Are stored encrypted on an EA host, so use the User Management Log page to read the logs’ content.
• Are secured and protected from changes outside of EA. The standard RSA 8000 based digital signature schema is used for the security purposes. The modified or anyhow corrupted logs are marked as invalid.

To view logs:

1. In the navigation pane of the EA Management Window, go Security -> User Management Log. The list of available SLOG log files will be shown on the page to the right in a table. Some of the columns are detailed below.

   Table 7: User Management logs data.

Table Heading	Explanation
ID	The active log (DesktopAuthority.slog) is on top of the list. The active log logs activities performed during the period when the EA services were started and stopped. The log for the oldest session is at the bottom of the list.
Name	The DesktopAuthority.slog file is the active log. Older logs are named according to the following convention DAYYYYMMDD_HHMMSS.slog. For example, the user management log file for June 1st, 2018, will be entitled DA20180601_132125.slog.
Validity	Icon that indicates an SLOG file is invalid, i.e. modified (by other means than the EA application) or anyhow corrupted.

2. Click on an SLOG log file you need. The selected log’s details will be shown in the table below the logs list.
   The most recent records are always on top of the list.
   

To filter logs:

You can filter logs by the following data:

• the user logged in to run the EA management session;
• the date they were created or modified;
• the validity of the logs.

To filter the list of logs:

1. Use the desired field to set values to filter the logs’ list.
   
   For the User field, use the following format:
   DomainName\UserName
   
   For the Date from and Date to fields, either use the calendar that will show when you click on the field, or enter the date manually in the following format;
   YYYY-MM-DD.
2. Click Apply. The list of logs will change accordingly.