You can enable ExpertAssist to comply with Federal Information Processing Standard (FIPS) 140-1 cryptography policies. When enabled, ExpertAssist will accept only those connections from remote clients that comply with FIPS policies and use strong cipher suite of strong encryption algorithms TLS_RSA_WITH_3DES_EDE_CBC_SHA. In effect, this enables both the client (a computer where you access the remote computer from) and the server (remote computer where ExpertAssist runs on) organize a highly secure channel using the Transport Layer Security (TLS) protocol. Once the TLS is used and enabled to choose from the FIPS 140-1 standard’s security algorithms suite, this makes the strict use of certain algorithms for implementing certain operations.
Table 8: FIPS 140-1 standard’s security algorithms.
Algorithm |
Usage |
---|---|
Triple DES (3DES) |
Used to encrypt TLS traffic |
Rivest, Shamir, and Adelman (RSA) |
Public key algorithm used for exchanging TLS keys and authentication |
Secure Hashing Algorithm 1 (SHA-1) |
Used for TLS hashing |
To inform the ExpertAssist that it should use only FIPS 140-1 compliant algorithms:
Enable the following security policy for the remote computer within either Local Security Policy (LSP) or as a part of Group Policy System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.
This policy can be enabled under the Configuration\Windows Settings\Security Settings\Local Policies\Security Options\ path for the LSP or Group Policy object (GPO).
|
Note: To enable ExpertAssist using the FIPS 140-1 standard this security policy should be enabled on the remote computer where the ExpertAssist runs. |
When this policy is applied to the remote computer, you have to enable your client browser to use the TLS 1.1/1.2 protocol when accessing that remote computer. This enables your client browser to use that limited cipher suite of the algorithms that are required by the FIPS enabled remote computer. In other words, both the remote computer and your local computer should be able to use the only the FIPS compliant set of security algorithms. Enabling the FIPS security policy on the remote computer forces the ExpertAssist to accept only those connections and only from those clients that connect over the TLS protocol, and then apply cipher set restrictions on it. Enabling the client browser to use the TLS protocol you trigger the browser to negotiate the requirements determined by ExpertAssist.
By default the TLS protocol supports the following cipher suites:
Enabling usage of TLS in the browser (the client), you enable it to work with all the specified cipher suites. Enabling the FIPS security policy on your remote computer you force the ExpertAssist (the server) to narrow the cipher suite scope down to the single FIPS compliant suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA.
|
Note: If you see the ‘Internet Explorer cannot display the page’ when connecting to the remote computer enabled with FIPS policy this may indicate your browser does not have the TLS enabled. Make sure to enable the TLS 1.1/1.2 protocols in the browser for the computer where you will be connecting to the remote computer from. |
To enable your browser use the TLS protocol:
You can enable the TLS 1.1/1.2 automatically on your client computers using Desktop Authority Manager functionality to apply registry changes.
To do that, set it to create the SecureProtocols REG_DWORD value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key on your client computers. Then set the SecureProtocols value to the corresponding mask. The following masks are available:
To do that, set it to create the SecureProtocols REG_DWORD value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings key on your client computers. Then set the SecureProtocols value to the corresponding mask. The following mask is available:
Protocol |
Mask (Decimal) |
Mask (Hexadecimal) |
---|---|---|
TLSv1.1/TLSv1.2 |
2560 |
0xa00 |
If you want set all your clients to have both TLS 1.1 and TLS 1.2 enabled in their browsers, set the mask to 2560 (decimal) or 0xa00 (hexadecimal).
Once you connect with your browser from your local computer to the remote computer running ExpertAssist and enabled with FIPS policy, ExpertAssist will ask your browser to negotiate the TLS/SSL channel using the TLS_RSA_WITH_3DES_EDE_CBC_SHA suite. Since you enabled your browser to use the TLS, this cipher suite will be selected to organize a secure communication channel (a so called Schannel) matching the FIPS 140-1 standard between your computer and the remote computer.
|
Note: Please refer to http://msdn.microsoft.com/en-us/library/aa380123(VS.85).aspx for more information about the Schannel provider and its cipher suites. |
|
Note: Since the FIPS policy is configured in the Computer Configuration part of the GPO and applied per computer object, enabling this policy will affect all the users and applications running on the remote computer. |
|
Note: Some of the web sites that require you use secure HTTPS connection may not be FIPS compliant because they generally use the SSL3 protocol which uses a non-FIPS compliant MD5 hashing algorithm. Please see the following KB http://support.microsoft.com/kb/811834 to find out how you could enable the remote computer user to work with such sites if necessary. |
Select Windows Password to change the current user's windows password. You must be able to enter the old password before it can be updated.
If you select Appearance page under the Preferences object, you can tailor the look of ExpertAssist to your liking.
Enable/Disable the Java applet showing the current processor and memory utilization in the top frame.
If you grow bored of the tooltips displayed by ExpertAssist, you can turn them off here.
You can turn off most of the icons displayed on pages.
The number of records displayed per page on those where there are long lists (such as on the Event Viewer page).
Most of the WAP devices out there have very small screens and limited memory. Also, some gateways might enforce size restrictions on the WML documents they compile for their devices. This configuration setting lets you specify the number of records to appear per WAP screen, where applicable. Such screens belong to the Services, Processes, and Drivers page.
If you don't want the ExpertAssist icon to be displayed in the notification area (system tray), you can disable it here. Right-clicking on this icon gives you access to a wealth of extra information, including a log of recent events and detailed performance data graphs. The computer must be restarted for this change to take effect.
ExpertAssist is able to act as a simple HTTP daemon and serve files from the computer to the Web.
If you specify the root directory for the HTTP daemon, and the default index file, it will display the default index file from the web root specified.
Simply leave the directory field empty if you don't want to use custom pages.
Here you can configure your ExpertAssist connection settings, your SMTP settings, and even Dynamic IP Support.
The General Settings group allows you to change various connection and data transport related options.
Specify the port you want ExpertAssist to use. This takes effect when the service is restarted.
Specify the IP address you want ExpertAssist to use for incoming connections. Your machine can have several IP addresses assigned to it, and ExpertAssist can listen on all of those addresses or just the one you specify here. This takes effect when the service is restarted.
Here you can select from a drop-down list of specified IP addresses. You will first need to set this up under Security > IP Filtering
You must restart the ExpertAssist service before the changes take effect.
If this checkbox is unchecked and SSL transport has been set up (Security > SSL Setup) then only HTTPS connections will be allowed.
This is a rather obscure name for a setting provided to work around a rather obscure problem.
Some proxy servers request pages from web servers using several IP addresses. This can cause ExpertAssist to bounce you back to the login page after you click the Login button. If you are not affected by this problem, you should not change this setting. However, if you experience this problem, please read the following section carefully.
When you log in, your browser is assigned a session identifier in a cookie. For security reasons, this cookie is only valid when sent from the IP address from which the login originated. Were it not so, an eavesdropping attacker would be able to copy your cookie and gain access to all ExpertAssist resources to which you have access.
Some proxy servers use several IP addresses when requesting data from a remote computer. If this is the case with your proxy server, ExpertAssist sees the original IP address and session identifier as valid, but requests originating from other IP addresses (even if accompanied by a valid cookie) are replied to with the login page. The login page breaks out of frames, and displays itself in your browser - and you are prompted to log in again. A possible workaround is to keep logging in as many times as necessary - most proxy servers only use a few - maybe half a dozen - IP addresses. Once all the IP addresses are logged in, you will no longer be bounced to the login page.
ExpertAssist has had a setting called Proxy Problem Fixer. This is essentially a mask that can be applied to IP addresses. Suppose your proxy server uses the following IP addresses to request pages from servers:
192.168.0.33, 192.168.0.34, 192.168.0.35, 192.168.0.36, 192.168.0.37, 192.168.0.38
In this scenario, if you look at the IP addresses in binary form, you can see that only the last three bits are different:
11000000.10101000.00000000.00100001
11000000.10101000.00000000.00100010
11000000.10101000.00000000.00100011
11000000.10101000.00000000.00100100
11000000.10101000.00000000.00100101
11000000.10101000.00000000.00100110
This means that the largest number that can be represented on three bits (111 binary = 7 decimal) has to be masked from the IP addresses when checking them against each other to verify the validity of the session identifier cookie.
ExpertAssist provides a subnet mask-like setting for this purpose. By default, it is set to 255.255.255.255 - this means that no bits are masked off. Given the above scenario, we need to mask off the three least significant bits, thus we subtract 7 (binary form: 111) from 255.255.255.255, which leaves us with 255.255.255.248. By entering this value in the Proxy Problem Fixer field, we are telling ExpertAssist to ignore the last three bits.
This is a rather tedious way of getting around the problem, but short of reconfiguring the proxy server to use only one IP address, there is no easier solution. The latter is the recommended solution, since allowing several IP addresses to share the same session identifier can be a security risk. It is not really significant when you only mask off a few (three or four) bits, but if you need to decrease more and more significant bits of the IP addresses, you are putting yourself in a risky situation.
Of course, the risk can be decreased by protecting the cookie with SSL - but this requires that you request the login page with the HTTPS protocol and do not rely on the Use SSL switch that appears when it is requested via unsecured HTTP.
Here you can specify the maximum number of threads ExpertAssist can spawn to service client connections. You must restart the ExpertAssist service before the changes take effect.
Here you can specify the idle time allowed on a connection before the user is automatically logged out.
ExpertAssist is a highly configurable tool, meaning that you can change its settings to suit your individual remote administration needs and desires.
In the ExpertAssist File Transfer applet, files can be copied to and from the remote computer. If the file transfer is halted for the duration of the timeout value the file transfer will be canceled.
Enter the download bandwidth to be used for file transfers. This is entered in the form of kbits/sec. A bandwidth limit of 0 will disable this setting.
Enter the download bandwidth to be used for file transfers. This is entered in the form of kbits/sec. A bandwidth limit of 0 will disable this setting.
Force all java applets to use HTTP protocol instead of a direct socket connection.
If you want to configure ExpertAssist to send you email alerts you need to enter your SMTP server settings here.
The IP address of the SMTP server that email will be sent through.
If the SMTP server requires authentication, enter the user name here. Leave this field blank if the SMTP server does not require authentication.
If the SMTP server requires authentication, enter the password here. Leave this field blank if the SMTP server does not require authentication.
Enter a default email address for the SMTP server to use.
To test the SMTP server settings, enter a test message here and click Send test message. An email will be sent through the SMTP server.
ExpertAssist can send you an email message pointing to the IP address of your remote host every time it starts up. Use this if your host has a dynamic IP address.
Enter the email address of the user who will receive the IP address change email. To disable this feature, leave this field blank.
Enter the time interval for when IP addresses should be checked for change.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center