EV Reach is a secure yet flexible IT remote support offering. This section describes the security, authentication and auditing processes of EV Reach.

Secure Requests

To ensure a secure connection and protect against malicious hacking, our communication protocol encrypts all data transmitted between the Reach Console, agents and server at the lowest level.

Once the data frame is decrypted on the client side, the frame is then securely authenticated using Microsoft SSPI (Security Service Provider Interface). Microsoft’s SSPI technology allows clients and servers to establish and maintain a secure channel, provide confidentiality, integrity, and authentication. Using SSPI, EV Reach guarantees the identification of the administrator to the client and impersonates the administrator’s credentials locally to authorize the request.

How EV Reach authorizes a transaction

An essential aspect of the EV Reach security model is that it uses native Windows Local Account or Active Directory authentication and privileges. No proprietary authentication takes place while executing a task in Active Directory or on a remote machine.

Every transaction is performed under the credentials of the EV Reach operator (or specified alternate credentials) and is approved/rejected and audited by the native Windows security layer. If a user does not hold the necessary privileges to perform an action, EV Reach simply returns an Access Is Denied message. Essentially, EV Reach does not provide its user with any more privileges than the ones allocated to them in Active Directory.

• The installation, update, or removal of the EV Reach client agents always requires local administrative privileges on a client machine.
• Initiating a remote control session requires local administrative privileges on the remote machine by default (this can be configured).
• Active Directory actions are authenticated and approved using the EV Reach operator’s native account privileges.
• Performing management tasks on a remote machine requires local administrative privileges.

Alternate Credentials

In the event a EV Reach operator does not hold the required privileges to perform an action, alternate credentials can be used. Alternate credentials can be specified to authenticate against different protocols including LDAP, Windows, VNC, Intel vPro, RDP, and Telnet/SSH.

Additionally, EV Reach supports SmartCard redirection and Microsoft LAPS.

See Find out more

See our EV Reach Security white paper.

Auditing

All actions performed by a EV Reach operator are audited. By default, the EV Reach Agent records audit traces in the Windows Event Application Log. However, audits can be centralized using the EV Reach Server.

See Find out more