Kaseya Community

Disable the "Remote Access" function of Live Connect

  • Disable the "Remote Access" function of Live Connect


    So we have a client that has imposed a privacy policy on us: our engineers have to be blocked from remoting onto supported machines without explicit permission from the user.


    This is easily done for the Remote Control module. However, it's not so easily done for Desktop Access in KLC. In fact, I'm not sure if there's a way to give the user the popup before remoting on with KLC at all- if anyone can think of one, please let me know. So I had to disable it altogether.


    Bear in mind that this client is one of many, and I'm not prepared to disable Desktop Access for all our clients. So I have written a script that removes permissions for the relevant DLL, and it seems to work OK. I did not delete the dll outright, because that would most likely just get redeployed. Also note that the script deploys KLC as a first step, otherwise it would not do much.


    This script is scheduled on the agent template for this client.


    I've tested redeploying the LiveConnect binaries over the top, and the change held when I tested it- YMMV. Also note that if there is an open liveconnect session the change won't take effect until liveconnect.exe is killed.


    Help yourself, post any improvements or updates back here, and if you have problems importing the script, try changing the "utf-8" in the first line to match whatever you have in scripts in your system (I've hit that before when importing scripts from the forum.)




    <?xml version="1.0" encoding="utf-8"?>

    <ScriptExport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://www.kaseya.com/vsa/2008/12/Scripting">

      <Procedure name="Disable KLC Desktop Access" treePres="3" id="780216134" folderId="95912211723694314125442139">

        <Body description="LiveConnect is not bound by Remote Control Machine Policy. If clients have restrictive business policies on remote access, e.g. sysadmins should not be able to remote on without the user's clicking a box to acknowledge, it may be necessary to disable LiveConnect altogether.&#xA;&#xA;In Kaseya install dir is ExtDlls folder. These Dlls are only needed for KLC. If you block access to DesktopAccessService.dll, no-one can use Desktop Access (they get an error message about being unable to communicate with the remote system).&#xA;&#xA;Your install dir may vary.&#xA;&#xA;If the liveconnect dlls are not yet installed, this will be useless, so first we run the deploy liveconnect procedure.">

          <Statement description="Create a named procedure variable and assign a value retrieved from the managed machine by the agent." name="GetVariable" continueOnFail="false" osType="Windows">

            <Parameter xsi:type="EnumParameter" name="VariableType" value="AgentInstallDirectory" />

            <Parameter xsi:type="StringParameter" name="SourceContent" value="" />

            <Parameter xsi:type="StringParameter" name="VariableName" value="agentInstallDir" />

          </Statement>

          <Statement description="Schedule a procedure to run on a specified machine." name="ScheduleScript" continueOnFail="false" osType="Windows">

            <Parameter xsi:type="StringParameter" name="ScriptName" value="1100" />

            <Parameter xsi:type="StringParameter" name="TimeDelay" value="" />

            <Parameter xsi:type="StringParameter" name="MachineID" value="" />

          </Statement>

          <Statement description="Execute the given command as if it were typed in at a command prompt." name="ExecuteShellCommand" continueOnFail="true" osType="Windows">

            <Parameter xsi:type="StringParameter" name="Command" value="icacls &quot;#agentInstallDir#\ExtDlls\DesktopAccessService.dll&quot; /inheritance:r" />

            <Parameter xsi:type="EnumParameter" name="ExecuteAccount" value="System" />

            <Parameter xsi:type="BooleanParameter" name="Is64Bit" value="False" />

          </Statement>

        </Body>

      </Procedure>

    </ScriptExport>


     

  • Why not just create the installer using a /x which installs the agent with remote control disabled?  You've effectively disabled all remote control but what about when the customer needs some assistance?

  • As far as I know the setting for asking permission for remote control on the remote control tab is also applied to KLC remote access. This could by simply tested on a test-machine. I have a client where I ask permission to remote control and this is also applied to the KLC, so it should work.

  • Hi Tjibbe- I naturally expected it to apply the remote control policy in KLC, but this turns out not to be the case. Just to clarify, are you telling me that you do this:

             Remote Control > Machine Policy > "Require permission. Denied if no-one logged on."

             Open KLC

             Open Desktop Access

             User at remote machine sees "The admin Tjibbe is asking to control your machine, OK to allow"?

    Because we don't see that at all.

  • Hi Alistair- our engineers can still use the Remote Control module, they just can't use the equivalent function in KLC.

    If I'd been a bit smarter I would have thought of your suggestion- the reason I didn't was because the policy evolved as a long string of requests, and you know how hard it is sometimes to step back and review whether you're on the right path. Also, in my defence, it is a preferable solution to have the popup, I know I've had some frustrating calls with users trying to guide them to click on the Red K...

  • First up, thanks for sharing this.  The agent procedure you provided disabled the Desktop Access functionality as promised.

    I found that the thumbnail desktop view in the top left corner of KLC was still showing the users desktop though, so I added in an extra step within the script to run the following command:

    icacls "#agentInstallDir#\ExtDlls\ThumbnailCapture.exe" /inheritance:r

    That disabled the thumbnail desktop view in KLC.  The rest of the KLC functionality still works.

    Thanks!