As you may or may not know, one of my businesses – Fresh Mango Technologies – moved to BeAnywhere as our primary remote support tool this year, abandoning LogMeIn in for a number of reasons.
BeAnywhere has proved to be a great tool and we’re extremely happy with it, although I must admit I have concerns about it’s acquisition by SolarWinds.
Unfortunately this weekend I discovered a real ‘gotcha’ in terms of security based around the default behaviour of BeAnywhere. It really boils down to this:
If you have a sensitive network folder – for example ‘Personnel’ – that you have restricted access to all but the user ‘John Doe’ on the folder permissions, you would expect not to be able to have access to it via the BeAnywhere File Transfer tool unless you were logged in as John Doe. Unfortunately this is not the case! When I connected to a server using the administrator credentials, I was able to browser ALL files and folders on the server, including ones that the administrator account does not have access to (confirmed by attempting view them via Windows Explorer: permission denied).
I am assuming that this is because the BeAnywhere agent runs as a SYSTEM service by default and also by default, SYSTEM is allowed access to all folders on a server. The only way I can see around it have two potential problems:
Run the BeAnywhere Host service as an administrator, not as SYSTEM
I tried this and unfortunately it stops the Remote Access tool working (File Transfer continues to work)
Remove SYSTEM from the folders that are sensitive
You can do this but this will prevent other thing from reading the data such as backup and antivirus software, obviously that’s a real problem.