Robust Security Security is paramount when you're running a remote-control host on a critical system--especially if the host is accessed through the administrator account. With pcANYWHERE, you're able to set and manage access to the network and the application in two places--the host object and the client object. The host and client objects are secured with passwords. Separate passwords can be set to view or execute the object. In the application itself, you can password-protect the wizard that creates connection icons. However, on a down note, once the connection icon is used with a successful password, it remains open until the application is closed. This can cause a gaping security hole if you forget to restart the application after using one of the wizards.

Inside the objects, you set the parameters that define an object will connect, along with optional user name and password pairs and encryption levels. We set group access permissions employing user groups from our NT domain. We created a desktop support connection object that let users view the desktop but not manipulate it. We also created connection objects that granted full access. These connection objects were placed on a network server for easier management. Bear in mind that if your host objects will run at start-up: The host object must be on the local hard drive, or pcANYWHERE won't be able to find it because network volumes aren't mapped until a user logs in.

Symantec uses proprietary encryption as well as other methods that require Microsoft's CryptoAPI (which ships with Internet Explorer 3.02 and above)--symmetric key and public key. Both the host and client will negotiate from the strongest encryption level to the weakest. You also can configure objects to not negotiate downward. With encryption active, we were pleased to see no performance degradation.

pcANYWHERE can be configured to lock access to the console, shut down the host, log off the user or restart the host computer if the remote-control session ends improperly, such as when a link goes down over the Internet. You also can set it to wait for a specified period before taking action. We set the console and disconnected the router link between the client and the host. As soon as pcANYWHERE detected the drop, it locked the console, requiring an administrator login to gain access.

OS Integration Symantec's offering is tightly integrated with Windows NT. When connecting to remote hosts, you can connect directly to a host or search an IP subnet for active hosts. Our tests found that occasionally a subnet search would display the hosts, but their statuses would be unknown. At times, we were able to make connections, and at other times we had to rerun the search.

With an administrator installation, you can start or stop hosts running on NT, as well as change the connection configuration files for the host using the host manager utility. When you're manipulating remote hosts within the current NT domain, you need to have administrator rights on the target server. This protects the host from malicious users. Outside of the NT domain, pcANYWHERE requires you to have the same user name and password on both servers in addition to admin rights.

pcANYWHERE records events to the NT event log, unfortunately the logging is fairly sparse. For example, it records by user name that a user logged on via remote control, but it doesn't record when that user logged off.

Rolling It Out Installing pcANYWHERE from a network volume lets your administrators manage the installation easily and allows for customized installations based on your needs. For example, in our lab, we installed a network version under a special directory and made our specific modifications. We then installed it on a workstation (leaving the applications on the server) and found that our modified connection items were copied over to the client. This lets you specify the initial connection items to be installed. Since the network drive assignment can be made through login scripts, you can specify the shared network directories that will hold the connection icons as well with the administrator utility.

To get the proper permissions, however, we had to set read-only access in the share directory and then set read and execute access in the setup directory, a testament that using default permissions are not enough.

Netopia Timbuktu Pro (Beta)
The venerable remote-control package for the Macintosh OS has reinvented itself for the enterprise market. It now offers robust network installation features, integration with Windows NT domains, and tight security, along with support for numerous ESM platforms. We tested Timbuktu version 1.5.4 and Timbuktu Pro (Beta) in this roundup.