When 3am Labs asked us to review LogMeIn, we were not sure whether it was really appropriate for SC Magazine. The software is primarily a tool for web-based remote access and administration (there is a "network console" version for enterprise administrators, too). But it has a surprisingly broad set of security features, as well as some clever ways to tie down possible vulnerabilities in remote administration.
LogMeIn works by installing agent software on each PC to be managed. The agent then connects to the 3am Labs servers over SSL, using a web proxy if required. To manage the remote system, you make a standard browser connection to the 3am website, and log in over an encrypted session. While the agent software only supports Windows (we would very much like to see a Mac version), the browser end has no such requirement. Where parts of the interface use ActiveX, the firm has provided a Java component with identical functionality. On our Linux test machine running Firefox we had no problem with any part of the service.
LogMeIn bypasses the firewalls and proxies which get in the way of other remote management or VNC sessions by operating a man-in-the-middle. On the flipside, this is also a concern – if you have the misfortune of being a security manager in a company where many users have admin rights on their desktops, you really do not want them installing the LogMeIn agent on their own, because it will blow away your perimeter like a cobweb.
Once connected, using an email address and password as credentials, the first view of the service is a list of all computers whose agents are connected, with the names assigned to the agent (this defaults to the local Windows machine name). Some basic setup can be done here, including creating delegated users with limited access to the machines: an extra first line of authorization.
Clicking on a machine sets up the proxied connection to it, which first requires a valid Windows username, password and domain, authenticated as any Windows user would be – another layer of authentication and authorization, at which stage we were already liking the granularity.
One concern is that because the faux-Windows login is just an HTML form, a browser can cache the login data. This definitely should be avoided, even though there is an option to add another "personal password" which will pop up after the Windows authentication, requiring specific characters (like online banking services) rather than the whole password.
When authorized, an initial dashboard view shows a management snapshot, with processor and memory usage, system events, and various other information.
We were more interested in the security mechanisms, and started straight in on those. The basics are all there: access control, IP filtering to further control who can access the system remotely (another layer), the personal password, and detailed logs which show who connected as well as an (unfortunately quite crude) indication of what they were doing.
Remote screen control is also well secured. Anyone with a Unix background, familiar with multi-user X-Windows sessions, is likely to be frustrated with Microsoft's "one console to rule them all" approach. Unless you are specifically connecting to a Terminal Services server, your VNC connection is direct desktop control. Your application screens and mouse movements can be watched by anyone sitting in front of the local monitor, which is something of a problem from a security perspective, especially when the local mouse and keyboard are allowed to interfere, too.
LogMeIn takes various steps to address these shortcomings. The local input devices can be disabled, the screen can be blanked by DPMS (and the software warns you if it was unable to blank the screen), and the agent can be instructed to lock the remote desktop when the session terminates.
In addition, if a local user is already working on the PC, a warning message will show up alerting them to the remote session and giving them the option to deny it, unless the remote session is using an account with admin privileges, in which case this can be overridden. This is neat, but has a fatal flaw: it is the remote server which instructs the Windows session to lock, not the local agent, so if a malicious user yanks out the network cable, the session will not lock. Worse, the system then returns keyboard and mouse control to the local user.
LogMeIn is a super remote access tool, and it does a great job performing this in a web proxy environment, and a good job locking down some of the vulnerable points in Windows remote admin.
A couple of points of attack remain, but none should be hard to address in future versions.