Question

If an organization has concerns that pcAnywhere Solution can be used for eavesdropping or covert monitoring, what settings are recommended and what product behavior can mitigate these concerns?

Answer

pcAnywhere was not designed as a covert monitoring program, and with certain settings in place, there are clear indications when a remote user is attempting to initiate a remote control session and when a remote control session is running.

With pcAnywhere Solution, there is a setting in the host configuration policy named "Require user to approve connection". This option is enabled by default as of pcAnywhere Solution SP1 (build 12.5.415), continuing with SP2 (build 12.5.539). This option causes a dialog box to pop up on the host computer when a remote user attempts to initiate a remote control session. The dialog box allows the local user at the host computer to click "Yes" or "No" to allow the connection, and it has a timeout which ticks down from the value set within the host configuration policy.

There are some variations in the behavior of the pcAnywhere Windows host when the "Require user to approve connection" option is set, depending on the state of the computer and on the type of "caller" (StandardUser or SuperUser) that is defined by the pcAnywhere Solution administrators in the pcAnywhere policy. Refer to Knowledge Base article entitled "pcAnywhere behavior for StandardUser vs. SuperUser", referenced below, for a table which describes the difference in behavior between the two types of callers.

Due to changes in pcAnywhere Solution SP2, there was initially no way to force approval for all users when the managed host computer was in any given state.   Even with a "StandardUser" as the caller, if the host computer was at the Ctrl+Alt+Del screen or it was locked, then the pcAnywhere connection attempt would eventually succeed after the timeout. This was the design because the caller must still specify Windows credentials in order to access the computer. In other words, if the host computer was at the Ctrl+Alt+Del screen then the remote user must logon, and if the computer is locked then the remote user must unlock the workstation in order to access it.  Note that Symantec has since released an optional patch to address this behavior.  If interested, please see the Knowledge Base article entitled "A user can establish a remote control session when the host computer is at the CTRL+ALT+DEL screen or is locked", which is also referenced below.

Following are some recommendations for product administrators who must address privacy concerns with respect to pcAnywhere Solution.

1. On the Host tab of the pcAnywhere host configuration policy in the Symantec Management Console (SMC), check the box for “Require user to approve connection” and specify a “Customized approval message” to be displayed for the end-user to see when the help desk requests a session.
2. Assuming that the “Require user to approve connection” is checked, then on the Authentication tab specify only “StandardUser” type callers.  This will limit the possibility that somebody will establish a remote control session without end-user approval to the two scenarios described above:
        a.  nobody is logged in yet (the computer is at the Ctrl+Alt+Del screen)
        b.  the computer is locked.
3. On the Security tab, you have the option “Hide host tray icon”.  Do not select this option.  When the pcAnywhere system tray icon is displayed and end-users hover the mouse pointer over it, they will see the status of the host service.  If somebody is logged into a remote control session, the system tray icon will let them know.
4. On the Security tab, there are options for “Log off host computer on connect” and “Restart host computer on disconnect”.  These are disabled by default, and for good reason, because their use may result in interruption of the end-user and possibly data loss (if any applications are forcibly closed with unsaved work).  However, these options will also provide assurance to the end-users that nobody is monitoring them because it will not be possible for the help desk or IT user to establish a remote control session without first logging off users.  So I recommend that you consider the risks versus the benefits of using these two options.

With the settings above in place, if there are still concerns over privacy then perhaps these concerns can be resolved by educating the the end-users.  The pcAnywhere host service will place an icon in the system tray.  The icon will indicate whether anyone is connected to their computer via pcAnywhere.  When a remote control session is allowed after proper authentication, the host tray icon's appearance will change slightly, and it will display a balloon which states "Remote <computername> Connected" (where <computername> is the name of the computer from which an administrator is conducting the remote control session).  When the remote control session ends, another pop-up balloon will display "Remote <computername> disconnected".  In addition, logged-on users can hover the mouse over the icon to check the status of the host service.  When idle, the pop-up balloon will state "Symantec pcAnywhere Waiting".  However, if a pcAnywhere remote control session is active, hovering over the system tray icon with the mouse will display the Session duration, the User or group of the remote computer, and the name of the computer running the remote control session.