Situation:
You want to know about the security features of pcAnywhere. This applies to pcANYWHERE32 8.0 and pcAnywhere 9.0.

Solution:
pcAnywhere security features are controlled by the host configuration. This security can be broken down into the following categories:

• Encryption
• Allowing or disallowing a connection based on authentication
• Limiting a remote user's function on the host computer
• Forcing users to log into the OS
• Limiting access to pcAnywhere files
• Limiting access to specific pcAnywhere registry keys
• Hiding pcAnywhere hosts from remotes

Encryption
pcAnywhere, by default, uses a proprietary encryption algorithm for the data stream between a host and remote. For users who require more rigorous encryption, pcAnywhere supports using Microsoft symmetric encryption and public/private key encryption. Encryption is engaged immediately upon connection and prior to any data transactions (including authentication). If the remote is not using encryption or is using a lower encryption level than the host, the host can be configured to reject the connection from the remote.

The pcAnywhere data files (bhf, .chf, .cif, .osf, .gwh) are encrypted using a proprietary encryption algorithm to protect password and username information.

Authentication
In order to control who connects to your hosts, pcAnywhere can be configured to accept incoming callers based on login ID and password. Callers whose login or password do not match are disconnected. On Windows 9x and Windows NT computers, these logins are configured within pcAnywhere. On Windows NT computers, you can also configure pcAnywhere to authenticate the user using NT's users or groups.

pcAnywhere also provides an additional feature wherein an incoming caller must be approved by a user at the host end. If the caller is rejected or the request times out, the connection is ended.

Limiting Function
You can provide additional limitations on a remote user once they've been authenticated. You can:

• Allow or disallow them the ability to upload or download files
• Restrict their access to all floppy, CD-ROM, and network drives
• Limit their time online
• Limit their ability to affect the pcAnywhere host

pcAnywhere can use the NT User Manager to authenticate or verify that the caller is a valid user. These users have whatever rights the logged-in user has, in addition to any rights you can limit with pcAnywhere. This means that if someone with Administrator privileges logs into Windows NT, and while that person is logged in someone without Administrator privileges connects with pcAnywhere, they will have Administrator privileges.

Remote drives cannot be mapped as drives on the host network.

Limiting Access
You can limit access to pcAnywhere properties. For the pcAnywhere data files (bhf, .chf, .cif, .osf, .gwh), you can specify a password that must be given in order to view the properties, modify the properties, or use (execute) the file. You can access this by clicking on the Protect Item tab when viewing the properties for a pcAnywhere file.

If you are using NTFS (NT File System), the pcAnywhere directory and files can be secured. If you are using Windows NT, the registry can be secured.

Hiding TCP/IP hosts.
You can limit a pcAnywhere TCP/IP host from answering a remote's browse request by creating and setting this DWORD value to 0:

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\System\DisplayHostInList

What pcAnywhere doesn't do

• pcAnywhere does not restrict access to specific drives, folders, applications, or files
• pcAnywhere does not override any rights or accesses set by the host operating system and/or network
• pcAnywhere does not have any firewall features

What the Operating System (OS) doesn't do
Windows 9x is inherently unsecured. By using 3rd-party software, you can increase the security of Windows 9x. However, it is possible to defeat most security schemes by booting Windows 9x into Safe Mode. The Windows 9x registry can be manipulated by anyone or any program. FAT16 and FAT32 partitions can not be secured without 3rd party software.

Windows NT can be secured. However, any drives that use FAT (File Allocation Table) partitions, are not secure. NTFS partitions can be secured at the drive, directory and file level. The Windows NT registry can be secured against users and programs.

pcAnywhere and TCP/IP networks

pcAnywhere uses two IP ports: a UDP port to query the status of pcAnywhere hosts, and a TCP port for data transfer.
If UDP packets are a concern, you can configure pcAnywhere to disregard these packets, although that will disable both the ability to check a host's status and the host browsing function.

pcAnywhere cannot directly access a host behind a proxy server. pcAnywhere's ability to access such a host is entirely dependent on proxy server configuration.


Additional Information

The following documents can provide more detailed information:

Common questions about Symmetric or Public-Key Encryption in pcANYWHERE32 8.0

Types of encryption in pcANYWHERE

pcAnywhere and proxy servers

pcAnywhere IP port usage

How to secure Windows NT 4.0 hosts