It's 10pm, Sunday night, Anytown. In a quiet house, a phone rings.
Ring Ring, Ring
Your Mother in Law: Hello Dear, I've got an XYZ error message on my screen, I've powered off and back on, and the message is still there. Can you help?
You (to yourself, in your inside voice): which means she's powered here *screen* off and on instead of her computer, here we go again! it really sounds like i need to be there to fix this - can I stop by tomorrow after work?
Her: But I'm bidding on an WXY, and the auction closes tomorrow - can't we get this fixed tonight? Plus you know how I like to play those fun online games my friend showed me over my coffee every morning
You (inside voice again): yeah, another XYZ, everyone needs more of those! and don't get me started on those malware infested flash games! how am I going to get this fixed before work tomorrow? She's an hour's drive away and I have an early start tomorrow at at work!
You (to her,out-loud): Will you still be awake in an hour, I can drop by later tonight still if that's ok?
Her: that'd be lovely - I'll put a pot of coffee on, and I baked some cookies today. If this is like last time you'll probably be a few hours!
Wouldn't it be greatif she had an icon on her desktop that would let you remote control her computer, right now?
Well, the good news is, there is such an app. And like so many things in IT, the bad news is, well, the bad news is that there is such an app.
Remote control tools like gotomypc (now gotomysupport), logmein, webex, bomgar and the like used to be considered *evil* apps in many IT groups. They pretty much allowed strangers to remote control your desktop computers over SSL or other encryption (or obfuscation or clear text)protocols, and there weren't a lot of tools out there to control how they got used. Ican remember talking to my CFOa number of years back, trying to explain why gotomypc (which was new at the time) was not a good alternative for him, that he should use the corporate VPNaccess. If you look at what these remote access toolsdo, it sounds a lot like the ultimate goal of any pen-tester, or of any of the bad guys who of course also want to compromise your network security - total control of internal resources without your knowledge.
On the other hand, as these tools have matured we're seeing a large uptake in their use in corporate IT groups, to the point that most IT groups will often have such a solution in place to remotely support their own users. We also see it routinely if we call for support on server operatingsystems or network infrastructure problems - almost the first thing most support techs will do is mail you a remote support link so they can see the problem first-hand and work on it themselves (using your computer).
So for all our family remote support needs, there's dozens of free tools out there that do exactly this. For our corporate needs, similarly, there aredozens of tools out there that do exactly this, for a per-seat or per-site license fee.
Even in this new world where we'venowblessed these remote access tools, people are missing some of the Securtiy 101 questions around them. Things like - how good is the encryption on this tool? Where exactly does the sessiondata transit? Am Irunning this through an appliance in my own datacenter, or am I being run through the provider's infrastructure on the internet (people call this the cloudthese days, like that makes it safer somehow).If the session data goes to the remote support tool provider, what country are they in? How does theirprivacy, search and seizure legislation compare to yours? Does the tool offer a drive map, which might allow file transfer without the user knowing? The answers to these questions might not matter too much to your Mother-in-Law, but your CEO, CIOand Corporate Counsel should all care.
The traditional remote control tools like VNCor MSTerminal Services have been made a lot less effective by firewalls, especiallypersonal firewalls turned on by default in the OS. They can still bedeployed (and controlled) in a corporate setting where you can do things like have Group Policy open workstation firewall ports when at work, and close the affected ports when away, but these tools aren't much help when your CEOis trying to VPNin from a hotel behind a firewall and 2 timezones away.
What tools do you use for remote support? If you run a corporate network, how do you control use of remote control tools? Does your firewall or IPS control this stuff, do you restrict it at the desktop using Group Policy or browser settings, or have you just resigned yourself to the fact that anyone who can dial one of your end-users' extension can social engineer themselves into a remote session on your network?
Please use the comment form to discuss - this is a debate that's been around for a while, but seems like wehave new answers every time !
=============== Rob VandenBrink Metafore ===============
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.