Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Cyber Security Awareness Month - Day 7 - Remote Access and Monitoring Tools - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Cyber Security Awareness Month - Day 7 - Remote Access and Monitoring Tools

It's 10pm, Sunday night, Anytown.   In a quiet house, a phone rings.

Ring Ring, Ring
Your Mother in Law:
"Hello Dear, I've got an XYZ error message on my screen, I've powered off and back on, and the message is still there.  Can you help?"
You (to yourself, in your inside voice):  "which means she's powered here *screen* off and on instead of her computer, here we go again!"
You (to her, in your out-loud voice); "it really sounds like i need to be there to fix this - can I stop by tomorrow after work?"
Her:  "But I'm bidding on an WXY, and the auction closes tomorrow - can't we get this fixed tonight?  Plus you know how I like to play those fun online games my friend showed me over my coffee every morning
You (inside voice again): "yeah, another XYZ, everyone needs more of those!  and don't get me started on those malware infested flash games!  how am I going to get this fixed before work tomorrow? She's an hour's drive away and I have an early start tomorrow at at work!"
You (to her, out-loud):  "Will you still be awake in an hour, I can drop by later tonight still if that's ok?
Her:  "that'd be lovely - I'll put a pot of coffee on, and I baked some cookies today.  If this is like last time you'll probably be a few hours!"

Wouldn't it be great if she had an icon on her desktop that would let you remote control her computer, right now?
Well, the good news is, there is such an app.  And like so many things in IT, the bad news is, well, the bad news is that there is such an app.

Remote control tools like gotomypc (now gotomysupport), logmein, webex, bomgar and the like used to be considered *evil* apps in many IT groups.  They pretty much allowed strangers to remote control your desktop computers over SSL or other encryption (or obfuscation or clear text) protocols, and there weren't a lot of tools out there to control how they got used.  I can remember talking to my CFO a number of years back, trying to explain why gotomypc (which was new at the time) was not a good alternative for him, that he should use the corporate VPN access.  If you look at what these remote access tools do, it sounds a lot like the ultimate goal of any pen-tester, or of any of the "bad guys" who of course also want to compromise your network security - total control of internal resources without your knowledge.

On the other hand, as these tools have matured we're seeing a large uptake in their use in corporate IT groups, to the point that most IT groups will often have such a solution in place to remotely support their own users.  We also see it routinely if we call for support on server operating systems or network infrastructure problems - almost the first thing most support techs will do is mail you a remote support link so they can see the problem first-hand and work on it themselves (using your computer).

So for all our family remote support needs, there's dozens of free tools out there that do exactly this.  For our corporate needs, similarly, there are dozens of tools out there that do exactly this, for a per-seat or per-site license fee. 

Even in this new world where we've now "blessed" these remote access tools, people are missing some of the "Securtiy 101" questions around them.  Things like - how good is the encryption on this tool?   Where exactly does the session data transit?  Am I running this through an appliance in my own datacenter, or am I being run through the provider's infrastructure on the internet (people call this "the cloud" these days, like that makes it safer somehow).   If the session data goes to the remote support tool provider, what country are they in?  How does their privacy, search and seizure legislation compare to yours?  Does the tool offer a drive map, which might allow file transfer without the user knowing?  The answers to these questions might not matter too much to your Mother-in-Law, but your CEO, CIO and Corporate Counsel should all care.

The "traditional" remote control tools like VNC or MS Terminal Services have been made a lot less effective by firewalls, especially personal firewalls turned on by default in the OS.  They can still be deployed (and controlled) in a corporate setting where you can do things like have Group Policy open workstation firewall ports when at work, and close the affected ports when away, but these tools aren't much help when your CEO is trying to VPN in from a hotel behind a firewall and 2 timezones away. 

What tools do you use for remote support?  If you run a corporate network, how do you control use of remote control tools?  Does your firewall or IPS control this stuff, do you restrict it at the desktop using Group Policy or browser settings, or have you just resigned yourself to the fact that anyone who can dial one of your end-users' extension can social engineer themselves into a remote session on your network?

Please use the comment form to discuss - this is a debate that's been around for a while, but seems like we have new answers every time !

 =============== Rob VandenBrink Metafore  ===============

Rob VandenBrink

469 Posts
ISC Handler
I really like Teamviewer for accessing a friends/relatives computer
Rob VandenBrink
4 Posts Posts
Agree, Teamviewer is cool, has VPN support, remote assistance ...
Rob VandenBrink
8 Posts Posts
I like Windows Remote Assistance since its built in, gets automatic updates along with windows, and requires interaction from a user on the computer being managed to complete the connection. Also, having it integrated with msn/live messenger makes it easy for mom to use.
James

12 Posts Posts
I have been using Netmeeting for internal support. With Windows 7 Netmeeting goes away. So far nothing I have seen replaces it for ease of use and low cost.

Unlike Netmeeting TeamViewer is not free for commercial users.
KBR

63 Posts Posts
Www.zolved.com, nothing to load.
KBR
1 Posts Posts
Corporate networks tend to have 'screen sharing' platforms of one sort or another that work well for remote assistance. Lotus' SameTime Meeting Center runs on an internal server -- schedule a quick meeting with the user and away you go. For vendors, a second SameTime server in the DMZ allows us to invite them to come to OUR meeting under our control.
Paul

44 Posts Posts
For family and friends; gitso. I have Ubuntu, they can have whatever they want (Linux/Windows/Mac)

On Corporate network (including VPN connections) it's Microsoft World. Remote Assistant + restrictive GPO:
- Only members of "User support" group can initiate a Remote session.
- User has to accept the connection.
- Firewall only allows requests coming from Corporate Network (could even add a sub-net for "user support" people).
One detail is that you have to deactivate the "blackening" of the screen when elevation is requested.
Paul
1 Posts Posts
Yes, I have been using tightvnc thru an ssh tunnel for many years now. I prefer tightvnc because it is fast even over a slow connection. For windoze boxes, I install cygwin, and then I install sshd as a service. I do not usually install vncserver as a service (unless the user is particularly clueless!), but rather have the user manually start vncserver. I also have vncserver pre-configured, including asking the user to allow the connection. I only to connect when telephone contact is active at the same time, both to talk the user thru it, and so he can verify my voice is recognized (it's a small company).

The only trouble with all these remote access tools is that, if your mother-in-law is anything like mine, you miss out on those great homemade cookies. ;-)
Moriah

133 Posts Posts
I have been using mikogo... there is even a portable version, so no installs on my computer
minimeister

1 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!