Goverlan Reach is a secure yet flexible IT remote support offering. This section described the security, authentication and auditing processes of Goverlan.
To ensure a secure connection and protect against malicious hacking, our communication protocol encrypts all data transmitted between the Reach Console, agents and server at the lowest level.
Goverlan Reach uses AES 256-bit encryption. Goverlan Reach can also be configured to use FIPS 140-2 compliant cryptographic libraries only (contact our support department to gain access to this version)
Once the data frame is decrypted on the client side, the frame is then securely authenticated using Microsoft SSPI (Security Service Provider Interface). Microsoft’s SSPI technology allows clients and servers to establish and maintain a secure channel, provide confidentiality, integrity, and authentication. Using SSPI, Goverlan Reach guarantees the identification of the administrator to the client and impersonates the administrator’s credentials locally to authorize the request.
How Goverlan Reach authorizes a transaction
An important aspect of the Goverlan Reach security model is that it uses native Windows Local Account or Active Directory authentication and privileges. No proprietary authentication takes place while executing a task in Active Directory or on a remote machine.
Every transaction is performed under the credentials of the Goverlan Reach operator (or specified alternate credentials) and is approved/rejected and audited by the native Windows security layer. If a user does not hold the necessary privileges to perform an action, Goverlan Reach simply returns an Access Is Denied message. Essentially, Goverlan Reach does not provide its user with any more privileges than the ones allocated to them in Active Directory.
- The installation, update, or removal of the Goverlan client agents always requires local administrative privileges on a client machine.
- Initiating a remote control session requires local administrative privileges on the remote machine by default (this can be configured).
- Active Directory actions are authenticated and approved using the Goverlan operator’s native account privileges.
- Performing management tasks on a remote machine requires local administrative privileges.
In the event a Goverlan Reach operator does not hold the required privileges to perform an action, alternate credentials can be used. Alternate credentials can be specified to authenticate against miscellaneous protocols including: LDAP, Windows, VNC, Intel vPro, RDP, and Telnet/SSH.
Additionally, Goverlan supports SmartCard redirection and Microsoft LAPS.
All actions performed by a Goverlan operator are audited. The default implementation records audit traces in the Windows Event Application Log, however, audits can be centralized using the Goverlan Reach Server.