RSEE and security

We have received a couple requests in the last few days to explain the security implications of using our Remote Script Execution Engine (RSEE).

The RSEE service must be installed on a target machine and uses a configurable tcp/ip port to listen for incoming script execution requests from a PrimalScript instance. Another port is used to transport the output back to the requester.

All traffic to and from RSEE is encrypted. This is no high level of encryption, it uses a very simple and fast algorithm that is sufficient in most cases.

RSEE has no built-in authentication, as the assumption is that you need an authenticated network connection to the target machine. Whoever is authorized to connect to your target machine can use RSEE unless you lock it down further as shown below.

If you are sending from outside of the network of the target computer you need to either arrange for the appropriate ports to be opened in your firewall or tunnel in with a VPN connection. In case your network has no firewall to the outside world, you have a host of other problems anyway.

The default installation of the RSEE service runs under the system account as most services do. This should allow almost any script to do what it needs to do.

You can limit access by running the service itself under a restricted user account and require sufficient credentials to be transmitted along with the script. The service will execute your script using the corresponding engine (CScript.exe or powershell.exe) using the same API that RunAs uses.

You can further limit access to the RSEE service by using IP filtering and only allow access to the RSEE ports from specific computers if appropriate.

Another method of limiting access is to stop the RSEE service by default. Any potential RSEE user would then need to start the service first (e.g. using WMI) which usually involves administrative access to the machine. Of course you then need to stop the service afterwards as well.

As always, if you have any questions or suggestions, please use the comments or post in the appropriate forum at http://support.sapien.com