KACE Desktop Authority 11.2.1 - ExpertAssist User Guide

FIPS compliant cryptography

You can enable ExpertAssist to comply with Federal Information Processing Standard (FIPS) 140-1 cryptography policies. When enabled, ExpertAssist will accept only those connections from remote clients that comply with FIPS policies and use strong cipher suite of strong encryption algorithms TLS_RSA_WITH_3DES_EDE_CBC_SHA. In effect, this enables both the client (a computer where you access the remote computer from) and the server (remote computer where ExpertAssist runs on) organize a highly secure channel using the Transport Layer Security (TLS) protocol. Once the TLS is used and enabled to choose from the FIPS 140-1 standard’s security algorithms suite, this makes the strict use of certain algorithms for implementing certain operations.

Table 8: FIPS 140-1 standard’s security algorithms.

To inform the ExpertAssist that it should use only FIPS 140-1 compliant algorithms:

1. Enable the following security policy for the remote computer within either Local Security Policy (LSP) or as a part of Group Policy System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.

   This policy can be enabled under the Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ path for the LSP or Group Policy object (GPO).

   Note: To enable ExpertAssist using the FIPS 140-1 standard this security policy should be enabled on the remote computer where the ExpertAssist runs.

2. When this policy is applied to the remote computer, you have to enable your client browser to use the TLS 1.1/1.2 protocol when accessing that remote computer. This enables your client browser to use that limited cipher suite of the algorithms that are required by the FIPS enabled remote computer. In other words, both the remote computer and your local computer should be able to use the only the FIPS compliant set of security algorithms. Enabling the FIPS security policy on the remote computer forces the ExpertAssist to accept only those connections and only from those clients that connect over the TLS protocol, and then apply cipher set restrictions on it. Enabling the client browser to use the TLS protocol you trigger the browser to negotiate the requirements determined by ExpertAssist.

   By default the TLS protocol supports the following cipher suites:

   • TLS_RSA_WITH_RC4_128_MD5
   • TLS_RSA_WITH_RC4_128_SHA
   • TLS_RSA_WITH_3DES_EDE_CBC_SHA
   • TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
   • TLS_RSA_WITH_DES_CBC_SHA
   • TLS_DHE_DSS_WITH_DES_CBC_SHA
   • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
   • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
   • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
   • TLS_RSA_EXPORT_WITH_RC4_40_MD5
   • TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
   • TLS_RSA_WITH_NULL_MD5
   • TLS_RSA_WITH_NULL_SHA

   Enabling usage of TLS in the browser (the client), you enable it to work with all the specified cipher suites. Enabling the FIPS security policy on your remote computer you force the ExpertAssist (the server) to narrow the cipher suite scope down to the single FIPS compliant suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA.

   Note: If you see the ‘Internet Explorer cannot display the page’ when connecting to the remote computer enabled with FIPS policy this may indicate your browser does not have the TLS enabled. Make sure to enable the TLS 1.1/1.2 protocols in the browser for the computer where you will be connecting to the remote computer from.

To enable your browser use the TLS protocol:

1. Tools|Internet Options in your browser and switch to the Advanced tab of the Internet Options dialog box.
2. Scroll the Settings list to the very end and set the Use TLS 1.1 and Use TLS 1.2 checkboxes in the Security settings section.

You can enable the TLS 1.1/1.2 automatically on your client computers using Desktop Authority Manager functionality to apply registry changes.

To do that, set it to create the SecureProtocols REG_DWORD value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key on your client computers. Then set the SecureProtocols value to the corresponding mask. The following masks are available:

To do that, set it to create the SecureProtocols REG_DWORD value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key on your client computers. Then set the SecureProtocols value to the corresponding mask. The following mask is available:

If you want set all your clients to have both TLS 1.1 and TLS 1.2 enabled in their browsers, set the mask to 2560 (decimal) or 0xa00 (hexadecimal).

Once you connect with your browser from your local computer to the remote computer running ExpertAssist and enabled with FIPS policy, ExpertAssist will ask your browser to negotiate the TLS/SSL channel using the TLS_RSA_WITH_3DES_EDE_CBC_SHA suite. Since you enabled your browser to use the TLS, this cipher suite will be selected to organize a secure communication channel (a so called Schannel) matching the FIPS 140-1 standard between your computer and the remote computer.

Windows Password

Select Windows Password to change the current user's windows password. You must be able to enter the old password before it can be updated.

Preferences

Appearance

If you select Appearance page under the Preferences object, you can tailor the look of ExpertAssist to your liking.

General Settings

Display perfviewer applet at the top of the screen

Enable/Disable the Java applet showing the current processor and memory utilization in the top frame.

Enable Tooltips

If you grow bored of the tooltips displayed by ExpertAssist, you can turn them off here.

Enable Icons

You can turn off most of the icons displayed on pages.

Default number of items per page for long lists

The number of records displayed per page on those where there are long lists (such as on the Event Viewer page).

Default number of items per WAP page

Most of the WAP devices out there have very small screens and limited memory. Also, some gateways might enforce size restrictions on the WML documents they compile for their devices. This configuration setting lets you specify the number of records to appear per WAP screen, where applicable. Such screens belong to the Services, Processes, and Drivers page.

Systray Settings

Display the ExpertAssist icon in the System Tray

If you don't want the ExpertAssist icon to be displayed in the notification area (system tray), you can disable it here. Right-clicking on this icon gives you access to a wealth of extra information, including a log of recent events and detailed performance data graphs. The computer must be restarted for this change to take effect.

Custom Pages

ExpertAssist is able to act as a simple HTTP daemon and serve files from the computer to the Web.

If you specify the root directory for the HTTP daemon, and the default index file, it will display the default index file from the web root specified.

Simply leave the directory field empty if you don't want to use custom pages.

Network

Here you can configure your ExpertAssist connection settings, your SMTP settings, and even Dynamic IP Support.

General Settings

The General Settings group allows you to change various connection and data transport related options.

TCP/IP port to listen on

Specify the port you want ExpertAssist to use. This takes effect when the service is restarted.

TCP/IP address to listen on

Specify the IP address you want ExpertAssist to use for incoming connections. Your machine can have several IP addresses assigned to it, and ExpertAssist can listen on all of those addresses or just the one you specify here. This takes effect when the service is restarted.

IP filter profile to use

Here you can select from a drop-down list of specified IP addresses. You will first need to set this up under Security > IP Filtering

You must restart the ExpertAssist service before the changes take effect.

Accept unsecured HTTP connections (non-SSL)

If this checkbox is unchecked and SSL transport has been set up (Security > SSL Setup) then only HTTPS connections will be allowed.

Broken proxy server mask

This is a rather obscure name for a setting provided to work around a rather obscure problem.

Some proxy servers request pages from web servers using several IP addresses. This can cause ExpertAssist to bounce you back to the login page after you click the Login button. If you are not affected by this problem, you should not change this setting. However, if you experience this problem, please read the following section carefully.

When you log in, your browser is assigned a session identifier in a cookie. For security reasons, this cookie is only valid when sent from the IP address from which the login originated. Were it not so, an eavesdropping attacker would be able to copy your cookie and gain access to all ExpertAssist resources to which you have access.

Some proxy servers use several IP addresses when requesting data from a remote computer. If this is the case with your proxy server, ExpertAssist sees the original IP address and session identifier as valid, but requests originating from other IP addresses (even if accompanied by a valid cookie) are replied to with the login page. The login page breaks out of frames, and displays itself in your browser - and you are prompted to log in again. A possible workaround is to keep logging in as many times as necessary - most proxy servers only use a few - maybe half a dozen - IP addresses. Once all the IP addresses are logged in, you will no longer be bounced to the login page.

ExpertAssist has had a setting called Proxy Problem Fixer. This is essentially a mask that can be applied to IP addresses. Suppose your proxy server uses the following IP addresses to request pages from servers:

192.168.0.33, 192.168.0.34, 192.168.0.35, 192.168.0.36, 192.168.0.37, 192.168.0.38

In this scenario, if you look at the IP addresses in binary form, you can see that only the last three bits are different:

11000000.10101000.00000000.00100001

11000000.10101000.00000000.00100010

11000000.10101000.00000000.00100011

11000000.10101000.00000000.00100100

11000000.10101000.00000000.00100101

11000000.10101000.00000000.00100110

This means that the largest number that can be represented on three bits (111 binary = 7 decimal) has to be masked from the IP addresses when checking them against each other to verify the validity of the session identifier cookie.

ExpertAssist provides a subnet mask-like setting for this purpose. By default, it is set to 255.255.255.255 - this means that no bits are masked off. Given the above scenario, we need to mask off the three least significant bits, thus we subtract 7 (binary form: 111) from 255.255.255.255, which leaves us with 255.255.255.248. By entering this value in the Proxy Problem Fixer field, we are telling ExpertAssist to ignore the last three bits.

This is a rather tedious way of getting around the problem, but short of reconfiguring the proxy server to use only one IP address, there is no easier solution. The latter is the recommended solution, since allowing several IP addresses to share the same session identifier can be a security risk. It is not really significant when you only mask off a few (three or four) bits, but if you need to decrease more and more significant bits of the IP addresses, you are putting yourself in a risky situation.

Of course, the risk can be decreased by protecting the cookie with SSL - but this requires that you request the login page with the HTTPS protocol and do not rely on the Use SSL switch that appears when it is requested via unsecured HTTP.

Maximum number of servicing threads

Here you can specify the maximum number of threads ExpertAssist can spawn to service client connections. You must restart the ExpertAssist service before the changes take effect.

Idle time allowed

Here you can specify the idle time allowed on a connection before the user is automatically logged out.

ExpertAssist is a highly configurable tool, meaning that you can change its settings to suit your individual remote administration needs and desires.

Stalled transfer timeout

In the ExpertAssist File Transfer applet, files can be copied to and from the remote computer. If the file transfer is halted for the duration of the timeout value the file transfer will be canceled.

File Transfer Download Bandwidth Limit

Enter the download bandwidth to be used for file transfers. This is entered in the form of kbits/sec. A bandwidth limit of 0 will disable this setting.

File Transfer Upload Bandwidth Limit

Enter the download bandwidth to be used for file transfers. This is entered in the form of kbits/sec. A bandwidth limit of 0 will disable this setting.

Force HTTP Tunneling

Force all java applets to use HTTP protocol instead of a direct socket connection.

SMTP Settings

If you want to configure ExpertAssist to send you email alerts you need to enter your SMTP server settings here.

SMTP server address

The IP address of the SMTP server that email will be sent through.

SMTP user name 

If the SMTP server requires authentication, enter the user name here. Leave this field blank if the SMTP server does not require authentication.

SMTP password

If the SMTP server requires authentication, enter the password here. Leave this field blank if the SMTP server does not require authentication.

Default sender address

Enter a default email address for the SMTP server to use.

Test email recipient

To test the SMTP server settings, enter a test message here and click Send test message. An email will be sent through the SMTP server.

Dynamic IP Support

ExpertAssist can send you an email message pointing to the IP address of your remote host every time it starts up. Use this if your host has a dynamic IP address.

Email recipient

Enter the email address of the user who will receive the IP address change email. To disable this feature, leave this field blank.

Check every

Enter the time interval for when IP addresses should be checked for change.