Security
Host
The Host is a remote module installed on a target (i.e. remote) PC. This module works for both unattended and attended access.
Viewer
Viewer is a single "command center" used by a support technician/admin. The Viewer is where you keep your address book, start remote sessions and manage your licenses.
MSI Configurator
MSI Configurator is a built-in tool that helps you create a custom Host or Agent installer for deployment across your remote computers.
File Transfer
File Transfer connection mode allows you to copy files and folders to and from the remote PC in a two-pane window interface:
Show me content for:
The Security section in the Host settings is where you can choose the authorization method — i.e. specify how exactly you are going to log in to this Host from the Viewer. You can also enable other security options, such as Ask user permission, IP filtering, etc.
- Right-click the Host icon in the system tray and select Settings for Host:
- Navigate to the Security section:
Authorization
Starting version 6.9 you can enable multiple Host authorization methods in any combination. To enable an authorization method select Authorization on the left in the Host settings window and select the corresponding checkbox on the right.
Single password
This is the simplest authorization method used in Remote Utilities. There is no login or username, just the password. You are asked to create a password during Host installation. If you didn't set the password during installation you can always set it afterwards in the Host settings or skip creating a password and use another authorization method instead.
To enable singe password authorization select the Single password check box. Make sure that the password is actually set (see below).
Setting new password
Navigate to Authorization, select Single password checkbox, then enter and confirm a new password and click OK:
Changing existing password
- Navigate to Authorization and click Change password...:
- Click Yes in the warning message:
- Enter and confirm a new password and click OK:
Removing existing password
- Navigate to Authorization and click Remove:
- Click Yes in the warning message:
Important!
For security reasons, there are no technical, blank or default passwords. If no authorization method is enabled, you will NOT be able to connect to this Host. Make sure that you enable at least one authorization method.
Remote Utilities security
Use this authorization method if you want to create multiple user accounts with different permissions for each account.
To enable this method select the Remote Utilities security check box. Make sure that you created user/users and set access permissions for them (see below).
Creating users and setting access permissions
Accounts that you create in this dialog apply to this specific Host only. They are not centrally stored anywhere. If you want to create same accounts for multiple Host installations, use the MSI Configurator to pre-configure your custom Host installer with the necessary accounts.
- Navigate to Authorization and click Users and access control...:
- Click Add...:
- Create a user and password. You can optionally enable Ask user permission option for this user. Click OK:
- In the Rights box set permissions for this user and click OK:
- All access — allow all connection modes
- Full Control — allow the Full Control connection mode
- View only — allow the View Only connection mode
- File Transfer — allow the File Transfer connection mode
- Redirect — allow connecting through Host
- Remote Access Features — allow Terminal, Task Manager, Remote registry, Execute, Inventory manager, RDP and Screen recorder connection modes
- Communication Features — allow Text chat, Voice and Video chat and Send message connection modes
- Power Control — allow the Power Control connection mode
- Remote Upgrade — allow using the Remote Install tool for remotely upgrading the Host
- Remote Settings — allow running the Remote Settings mode
Important!
A connection mode must also be allowed in the global permission settings in the Modes tab, see below.
Editing user
- Navigate to Authorization and click Users and access control...:
- Select a user in the list and click Edit...:
- Make the necessary edits and click OK:
Removing user
To remove a user, select the user in the list and click Remove:
Windows security
With this authorization method you can use Windows accounts to authorize on a remote Host. To enable this method select the Windows security check box and set permissions as described below.
To add a Windows user and set access permissions:
- Navigate to Authorization and under "Windows security" checkbox click Permissions...:
- Click Add...
- Select Windows accounts which you want to grant or deny access to the Host and click OK.
- Select an account in the list, set permissions for this account and click OK:
- All access — allow all connection modes
- Full Control — allow the Full Control connection mode
- View only — allow the View Only connection mode
- File Transfer — allow the File Transfer connection mode
- Redirect — allow connecting through Host
- Remote Access Features — allow Terminal, Task Manager, Remote registry, Execute, Inventory manager, RDP and Screen recorder connection modes
- Communication Features — allow Text chat, Voice and Video chat and Send message connection modes
- Power Control — allow the Power Control connection mode
- Remote Upgrade — allow using the Remote Install tool for remotely upgrading the Host
- Remote Settings — allow running the Remote Settings mode
- To apply the settings click OK in the main Host settings window:
Custom server security
Custom server security allows you to use Remote Utilities self-hosted server as your authorization server/hub. For a comprehensive guide on how to set up Custom Server Security please refer to this article.
2-step verification
2-step verification adds another layer of security and guarantees that your Hosts are well protected from unauthorized access even if someone guessed or otherwise got possession of your access password.
Here is how to enable 2-step verification on a single Host:
- In Host configuration window navigate to 2-step verification and select Activate two factor authentication checkbox:
- Use a mobile authenticator app to scan the QR code shown in window. We recommend using Google Authenticator app or Microsoft Authenticator app for smartphones:
- Enter the numeric code shown in your authenticator app:
- Click OK. You have now set up the Host to use 2-step verification. When you connect in to this Host from the Viewer, you will need to enter a one-time password (OTP) in addition to the credentials for the authentication method that you use.
When you build a custom Host installer using the MSI Configurator, you are essentially creating a “master installer” (a template) from which to deploy your Hosts. If you enable 2-step verification during MSI configuration you’ll be using the same security code for all the Hosts that you deployed using your custom installer.
Confirmation
In the Confirmation dialog you can enable Ask user permission:
IP-filter
Use IP-filtering to restrict access to this Host for a specific IP address or IP address range:
- Allow everyone, except – add an IP address or range to the white list
- Deny everyone, except – add an IP address or range to the black list
- Edit – click to specify an IP address or a range
Modes
Use Modes to globally allow or deny specific connection modes for any user who connects in to this Host. To further fine tune access permissions for specific users use the respective authorization method permissions dialog.
For example, to quickly deny File Transfer mode on this Host to all users uncheck File Transfer in the Modes tab and click OK.
Host identity
Starting version 6.9 Remote Utilities has a certificate-based Host identity check mechanism. This mechanism doesn't require any configuration and works automatically.
The first time you connect to a remote Host the Viewer will fetch information about Host’s public key (certificate). From then on, each time you connect to that Host the Viewer will run a verification process to ensure that you connect to the same Host as you intended.
The Host certificate is automatically generated for you in Host identity:
You can re-issue a certificate manually if needed by clicking on Generate new.
If the Host certificate was changed and is different from the one remembered by the Viewer, a warning message appears on the Viewer side:
- Right-click the Host icon in the system tray and select Settings for Host:
- Click Settings for host and select Security from the menu:
- The Security dialog will open:
Authorization methods
Remote Utilities offers three authorization methods:
- Remote Utilities security. This is Remote Utilities own authorization system enabled by default. It consists of two subsystems which can work simultaneously (i.e. you can connect in to the same Host using either way):
- Single-password authorization. A single (master) password is used to authorize on the Host.
- Users and access control. A "username/password" pair is used to authorize on the Host. Different accounts with different access permissions can be created.
- Windows security. This is Windows authorization/authentication scheme. You can use Windows credentials to authorize on the remote Host.
- Custom server security. This method requires using a self-hosted server for authorization.
See below how to set up each authorization method.
Remote Utilities Security
Single password
The simplest authorization system used in Remote Utilities is single password security. You set one master password for a given Host with which to connect in to this Host. You do not have to use a login or username, just the password.
You are asked to create a master password during Host installation:
If you didn't create the master password during Host installation you can set or change it later:
- In the Security window click Change password:
- Set a new password and click OK:
Important!
For security reasons, there is no technical, blank or default password. If you have Remote Utilities security selected as your authorization method but you neither set a master password nor created a user account in Users and Access Control (see below), you will NOT be able to connect to this Host. Make sure that you set your master password either when prompted during installation, or immediately after the installation.
Users and access control
Use this security subsystem if you want different people to connect in to this Host and you still don't want to use Windows authentication scheme. Each user will have their own login and password and an associated set of permissions.
To create a user:
- In the Security window, click Users and access control link:
- Click Add and enter a user name and password.
- (Optional) Enable the Ask user permission option for this user if necessary.
- Click OK. The newly-created user will appear in the user list:
- All access — allow all connection modes
- Full Control — allow the Full Control connection mode
- View only — allow the View Only connection mode
- File Transfer — allow the File Transfer connection mode
- Redirect — allow connecting through Host
- Remote Access Features — allow Terminal, Task Manager, Remote registry, Execute, Inventory manager, RDP and Screen recorder connection modes
- Communication Features — allow Text chat, Voice and Video chat and Send message connection modes
Remote camera— this mode has been discontinued and is no longer available.- Power Control — allow the Power Control connection mode
- Remote Upgrade — allow using the Remote Install tool for remotely upgrading the Host
- Remote Settings — allow running the Remote Settings mode
- Set access permissions for the selected user. In this example the user "John" is allowed to connect to this Host using the View Only and File Transfer connection modes. Other modes will not be available for this user.
Important!
A connection mode must also be allowed in the global permission settings on the Modes tab.
- Click OK to save the settings.
Windows Security
Instead of using the Remote Utilities default authorization method, you can utilize existing Windows and/or Active Directory accounts to authorize on this Host.
- In the main security settings window, select the WinNT security radio button and click Permissions:
- Click Add...
- Select Windows accounts which you want to grant or deny access to the Host and click OK.
- Select an account in the list and set permissions for this account below.
- All access — allow all connection modes
- Full Control — allow the Full Control connection mode
- View only — allow the View Only connection mode
- File Transfer — allow the File Transfer connection mode
- Redirect — allow connecting through Host
- Remote Access Features — allow Terminal, Task Manager, Remote registry, Execute, Inventory manager, RDP and Screen recorder connection modes
- Communication Features — allow Text chat, Voice and Video chat and Send message connection modes
Remote camera— this mode has been discontinued and is no longer available.- Power Control — allow the Power Control connection mode
- Remote Upgrade — allow using the Remote Install tool for remotely upgrading the Host
- Remote Settings — allow running the Remote Settings mode
- Click OK to save the settings.
Custom Server Security
For a comprehensive guide on how to set up Custom Server Security please refer to this article.
Advanced settings
Click the Advanced button to access additional security settings.
Confirmation tab
Use the Confirmation tab to enable the Ask user permission option.
IP-Filter tab
Restrict access to this Host for a specific IP address or IP address range.
- Allow everyone, except – add an IP address or range to the white list
- Deny everyone, except – add an IP address or range to the black list
- Edit – click to specify an IP address or a range
Host authority tab
In the Host authority tab you can set a shared secret that provides the means of verifying identity of the Host.
A shared secret is an alphanumeric code that you can generate on the Host and then add to the corresponding Viewer connection properties. Every time a remote session is about to start, Remote Utilities will check the shared secrets on both ends. If they are not identical, the connection will be refused.
Modes tab
Use the Modes tab to globally allow or deny specific connection modes when connecting to this Host.
Custom server security tab
- Use custom server security – select to enable Custom Server Security authorization method on this Host
- Servers... – add and select a server through which to authorize
- User access... – set user access permissions
Learn more about using a self-hosted server for authorization and setting up custom server security in this article.
