I’ve been a user of LogMeIn for years, but recently decided to review the various additional security settings that are available. Here’s a breakdown of the settings I’ve enabled:
- Two-factor Authentication: After entering my user/pass to get onto logmein.com, a code gets sent to my BIS e-mail address, which can only be accessed from my BlackBerry. I have to enter the code correctly before being shown my list of computers.
- Personal Password: I’ve entered a personal password into the settings for each computer running LogMeIn that cannot be accessed by LogMeIn employees because it’s stored on the computer being accessed, not on their servers. When trying to connect to the computer, I’m required to enter a subset of the characters in the code. The interesting thing to note here is that you select the characters from drop down lists, so they cannot be recorded by a keylogger. Also, because you’re only entering a subset of the characters in the code, someone looking over your shoulder will not know the entire code.
- After that, I’m still required to enter the password of a user account on my computer (or a domain account if the computer is part of a domain).
So there’s four pieces of information that are required to access any of the machines in my account, including one physical piece (the BlackBerry with access to the BIS account). In addition to that I’ve also enabled the following settings:
- E-mail notifications for everything from changing settings on the account, failed logins, etc. I’m even notified via e-mail for successful logins, so if by some freak chance someone actually managed to login to my account, I’ll get notified immediately. All notifications list the public IP from which the access was made.
- Blank the computer screen while it’s in use, and give priority to the remote user over the console user. This prevents anyone who has physical access to the computer from viewing and hijacking your remote session.
- Lock the computer upon any remote session disconnection, including graceful logouts.
In addition to this, you can configure the following settings if you so desire:
- Limit connections to specified IP addresses. This will limit the locations from which someone can even attempt to access the machine from.
- Require console user consent when accessing. Useful in a work scenario where you might have someone in the office 24/7 and you want to require that they physically go to the console to allow your remote access request. You could then also have a written IT policy to require that the request is only accepted after verifying the requester’s identity over the phone with a security question.
- Record the screen during all sessions. This way if multiple users have remote access to the machine, you can audit their work.
Sounds pretty secure, no? Post your thoughts and opinions in the comments if you’re so inclined.
On a side note, one of the best features of LogMeIn is the Wake-on-LAN support. As long as you have one computer on a particular subnet turned on and running LogMeIn, you can power on any other computers on the same subnet that are running LogMeIn and have WOL enabled in the BIOS. This works great in a home or office scenario where workstations might be configured for standby on idle but some machines are left running 24/7. You can remotely wake any of the sleeping machines right from the LogMeIn website.
