remote access

Remote Desktop Software and Remote Desktop Connection

Security

Security and privacy of data transferred during remote desktop access sessions are critical factors in choosing software for remote computer access. We implemented advanced cryptography methods to offer stable and secure software for remote access sessions.

Ammyy Admin assures that you can feel confident about security of the information you send over the internet.

Hybrid encryption algorithm (AES+RSA)

Ammyy Admin uses hybrid encryption algorithm for data transfer. It combines AES (a standard accepted by the U.S. Government and well-known for its reliability) and RSA, widely used not only for data encoding but in operations with digital signatures.

In case of information leakage no one (including Ammyy officers) will be able to decrypt it.

Encryption of all transmitted data

Data communication with Ammyy Admin during a remote desktop session is held in secure encrypted form. All information transmitted between computers over the Internet, including display images, cursor moves, keyboard input, file transfer, etc is reliably protected. Encryption is constant and impossible to turn off.

Flexible authentication settings

Ammyy Admin offers powerful, flexible options for Operator/Client authentication. Connection to remote desktop is accessed by using a password and/or (depending on settings) hardware ID which is impossible to imitate or fake. To access a computer remotely, "Operator" (side that is going to control remote desktop) must know unique ID of "Client" (side that is to be controlled). Without permission from "Client" side and special settings, access to remote desktop in hidden mode is impossible.

Ammyy Admin Security White Paper

Ammyy Admin provides strong end-to-end solutions to data security that make data confidentiality safe.

Scope and audience

This guide is for Ammyy Inc. customers and those who need to understand how Ammyy Admin impacts information security risk and compliance in their environment. This document solely addresses the Ammyy Admin product.

Introduction

Ammyy Admin is multitask software that allows IT and support professionals to provide remote support to computers and servers as well as to organize on-line meetings for collaborative or educational purposes. Ammyy Admin allows a support representative to view and control an end user's Windows based PC remotely.

This document focuses on the information security features of Ammyy Admin. The reader is assumed to have a basic understanding of the product and its features. Additional materials on Ammyy Admin can be found online at www.ammyy.com or by contacting an Ammyy Inc. representative.

Definitions

Operator - a PC from which a support provider representative connects to a remote PC of a client and control it in order to deliver tech support or for other purposes.

Client - a PC which remote computer (Operator) connects to.

ID – a unique identification number of a PC in Ammyy World Wide Network. The ID is generated automatically based on hardware characteristics of PC.

Authentication - the act of confirming the truth of user rights for connection to a remote PC.

NAT (network address translation) – a process of modifying IP address information in IP packet headers while in transit across a traffic routing device.

Ammyy router – an intermediary element of distributed servers used to realize communication services between Operators and Clients.
There are 2 types of Ammyy routers:

1) Public – organized by Ammyy and accessible to any customer by default.
2) Private - organized by a customer on customer premises.

Authentication

Hardware ID

Ammyy Admin generates and binds unique ID to a PC on which it's run. This ID is based on PC hardware configuration and is generated only once what makes this key a unique PC identifier which is impossible to imitate or fake.

Connection accept

Ammyy Admin supports multilevel authentication system which provides a secure access to a remote PC:

1) Manual connection accept – Client PC gets popup dialog box notifying about connection request and manually accepts or rejects the connection.
2) Accept by hardware ID – Client grants access to predefined Operators without need to manually accept remote connection each time remote side attempts to start the session.
3) Accept by password – connection to a Client is possible only by password.
4) Accept by hardware ID and by password – a combination of 2 and 3. Client sets up allowed Operators hardware IDs and assign password. This type of authentication is considered to be the most secure.

Operator lockout

After 3 consecutive failed log-in attempts, the Operator is temporarily blocked (for 30 seconds) from connection attempts. After the lockout period expires, the Operator will be able to connect again.

Protection of customer computer and data

An essential part of Ammyy Admin security is its permission-based access control model for protecting access to the customer's computer and the data contained therein. Before Operator gains access to remote PC, Client sets permissions for this particular Operator. For example, one can limit Operator access to "view screen only", or block file manager or grant full access to the PC.

Secure unattended administration

The unattended server administration feature allows connection to a remote PC, even if there is no person at Client PC to participate in Ammyy Admin session. Unattended administration can be set by installing Ammyy Admin as a service on Client PC and adding access permissions for certain Operators IDs. A more detailed guide to unattended administration can be found here http://www.ammyy.com/en/admin_unattended.html

Communications security features

Communication between participants in Ammyy Admin session occurs via an overlay multicast networking stack that logically sits on top of the conventional TCP/IP stack within each user's computer. The communications architecture is summarized in the figure below. Ammyy Admin session participants ("endpoints") communicate with Ammyy Inc. infrastructure communication servers and gateways using outbound TCP connections on ports 80, 443 or 8080, depending on availability. Ammyy Admin allows communication through HTTPs Proxy with SSL encryption if necessary. Because Ammyy Admin is a hosted service, participants can be located anywhere on the Internet — at a remote office, at home, at a business centre or connected to another company's network.

Communications confidentiality and integrity

Ammyy Admin provides data security measures that address attacks against data integrity and confidentiality. All Ammyy Admin connections are encrypted and access to Client PC is possible only for authorized Operators. Display data, keyboard/mouse control data, transferred files and voice are always exposed in encrypted form. The Ammyy Admin session encryption key is not kept on Ammyy Inc. servers in any form and cannot be discovered or derived by Ammyy Inc. servers or personnel. Thus, breaking into a server cannot reveal the key for any encrypted stream that the intruder may have captured.


Figure 1: Ammyy Admin Remote Support Technology Architecture

Encryption

Ammyy Admin data encryption is primarily based on 1024-bit RSA and 256-bit AES standards which are used to protect all communication between session participants. New session keys are generated for each session by endpoints, and are never known to Ammyy Inc. or its systems and communication servers only route encrypted packets and do not have the session encryption key. This technology is based on the same standards as https/SSL and is considered completely safe by today's standards.

Because Ammyy Admin uses very strong, industry-standard cryptographic measures, customers can have a high degree of confidence that multicast support session data is protected against unauthorized disclosure or undetected modification. High performance and standards-based data security is a "built-in" feature of every Ammyy Admin session.

Code Signature

All files of Ammyy Admin are secured using VeriSign code signing technology. This allows you to verify the origin of the executables you have and no one changed them.