May 12, 2005
- Ease of Use:
- Value for Money:
- Overall Rating:
Excellent remote control features with clever security mechanisms.
Specific vulnerabilities could be exploited by a crafty insider; MS only.
Good tool for remote control and administration, with well thought-out layered security.
When 3am Labs asked us to review LogMeIn, we were not sure whether it was really appropriate for SC Magazine. The software is primarily a tool for web-based remote access and administration (there is a "network console" version for enterprise administrators, too). But it has a surprisingly broad set of security features, as well as some clever ways to tie down possible vulnerabilities in remote administration.
LogMeIn works by installing agent software on each PC to be managed. The agent then connects to the 3am Labs servers over SSL, using a web proxy if required. To manage the remote system, you make a standard browser connection to the 3am website, and log in over an encrypted session. While the agent software only supports Windows (we would very much like to see a Mac version), the browser end has no such requirement. Where parts of the interface use ActiveX, the firm has provided a Java component with identical functionality. On our Linux test machine running Firefox we had no problem with any part of the service.
LogMeIn bypasses the firewalls and proxies which get in the way of other remote management or VNC sessions by operating a man-in-the-middle. On the flipside, this is also a concern – if you have the misfortune of being a security manager in a company where many users have admin rights on their desktops, you really do not want them installing the LogMeIn agent on their own, because it will blow away your perimeter like a cobweb.
Once connected, using an email address and password as credentials, the first view of the service is a list of all computers whose agents are connected, with the names assigned to the agent (this defaults to the local Windows machine name). Some basic setup can be done here, including creating delegated users with limited access to the machines: an extra first line of authorization.
Clicking on a machine sets up the proxied connection to it, which first requires a valid Windows username, password and domain, authenticated as any Windows user would be – another layer of authentication and authorization, at which stage we were already liking the granularity.
One concern is that because the faux-Windows login is just an HTML form, a browser can cache the login data. This definitely should be avoided, even though there is an option to add another "personal password" which will pop up after the Windows authentication, requiring specific characters (like online banking services) rather than the whole password.
When authorized, an initial dashboard view shows a management snapshot, with processor and memory usage, system events, and various other information.
We were more interested in the security mechanisms, and started straight in on those. The basics are all there: access control, IP filtering to further control who can access the system remotely (another layer), the personal password, and detailed logs which show who connected as well as an (unfortunately quite crude) indication of what they were doing.
Remote screen control is also well secured. Anyone with a Unix background, familiar with multi-user X-Windows sessions, is likely to be frustrated with Microsoft's "one console to rule them all" approach. Unless you are specifically connecting to a Terminal Services server, your VNC connection is direct desktop control. Your application screens and mouse movements can be watched by anyone sitting in front of the local monitor, which is something of a problem from a security perspective, especially when the local mouse and keyboard are allowed to interfere, too.
LogMeIn takes various steps to address these shortcomings. The local input devices can be disabled, the screen can be blanked by DPMS (and the software warns you if it was unable to blank the screen), and the agent can be instructed to lock the remote desktop when the session terminates.
In addition, if a local user is already working on the PC, a warning message will show up alerting them to the remote session and giving them the option to deny it, unless the remote session is using an account with admin privileges, in which case this can be overridden. This is neat, but has a fatal flaw: it is the remote server which instructs the Windows session to lock, not the local agent, so if a malicious user yanks out the network cable, the session will not lock. Worse, the system then returns keyboard and mouse control to the local user.
LogMeIn is a super remote access tool, and it does a great job performing this in a web proxy environment, and a good job locking down some of the vulnerable points in Windows remote admin.
A couple of points of attack remain, but none should be hard to address in future versions.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Information Security Risk Manager, £45-55k + bens
Infosec People - West Midlands, England, Coventry
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Sign up to our newsletters
SC Magazine UK Articles
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Met Police grab suspect with phone unlocked to get hold of data
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- Same fate befalls Post Office broadband as hit DT?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Former Expedia IT employee admits to hacking execs from the inside
- Cyber-insurance: What will you be able to claim for and is it worth it?
- Levelling the playing field against targeted attacks
- India Supreme Court calls on tech giants to curb sexual assault, cyber-crime
- IoTSF conference: EU should become de facto regulator