EV Reach Gateway Service - Security

Last modified on 2023/08/07 10:34

The EV Reach solution has been embraced by the Enterprise for its secure implementation. The EV Reach Gateway Services now extends EV Reach to the outside, therefore security is a priority in its design. The following section lists a short set of primary security validation points implemented within EV Reach Gateway Services. If you need further information, contact our Support Team.

Server Identity Verification

To guarantee the identity of the Reach Authority and prevent domain name high-jacking and service rerouting, a TLS handshake can be enforced between the client and the server.

To enable a TLS handshake, you must bind a Public Certificate issued by a Trusted Root Authority to the Reach public facing FQDN. This is done in the Reach Settings of the EV Reach Server options:

image38-6.png

If TLS identity verification is enabled, client machines will reject any connection to a Reach server that fails validation.

See Find out more.

Encrypted communications

All client/server communications are encrypted using the strong AES 256bit cipher specification.

Authenticated and approved actions

Reach clients are manageable via the EV Reach Services, however, Reach does not automatically grant privileges to a machine. EV Reach uses native Windows security to authenticate the Reach Operator and requires appropriate credentials to perform any action on the local machine. If an Operator doesn’t hold explicit privileges to perform an action, then they will be prompted to provide appropriate credentials.

By default, a Reach Operator must hold Local Administrative privileges on a machine in order to remote control it. Other management actions are approved based on the required privilege of the action as configured within Windows.

EV Reach automatically authenticates operators using Microsoft’s SSPI technology (Security Service Provider Interface). Microsoft’s SSPI technology allows clients and servers to establish and maintain a secure channel, provide confidentiality, integrity, and authentication. Using SSPI, EV Reach guarantees the identification of the Operator to the client and impersonates the administrator’s credentials locally to authorize the request.

Note: This security model does not apply during On-Demand Reach support assistance session. In such sessions, the privilege level acquired is set by the client user who initiated the session.

Auditing

EV Reach audits all remote system accesses and reports it locally in the system’s event log as well as centrally to the EV Reach Server. Additionally, during On-Demand Remote Support session, the end user can review support actions performed on their system at any time.

No outside Operators Allowed

As an additional security measure, EV Reach Operators are not authorized to use EV Reach Gateway Services if they are outside of the organization. A EV Reach Operator can only request Reach Services if they are within the private network where the Reach Server is installed.

Tags:
Powered by XWiki © EasyVista 2024