Research on Remote access/control

KLow0329

Hi Guys, i am doing some research on 'How Remote access/control can bring benefit to an organisation'?
Can anyone here share your knowledge or experience with me? Like benefit to IT industrial, your company or even to yourself?
I am working in a IT company and I still remember about 4 - 5 years ago, my company tried on some customers but some of them felt insecure about it, some suspected about hacking into their network. But now, remote access/control have been very common method to solve most of the PC problems.. other benefit including my manager sometime lazy to show up to work, just log in from home to do some office work..... (Lucky him..). ..... but thanks god, no major complaint so far from client.

lil_lisa

Well we currently have a VPN where I work. We all have laptops and it can work out useful in certain circumstances. Its not meant for a reason to stay at home and work or be lazy but if you happen to be out sick or home at the weekend and something has gone awry, you can just turn on the laptop and work as though you're in the office. I'm not sure if it cancels the cons though, data protection is a big issue with this.

wolfric

Depends on the size of the company.

Build in support includes remote desktop and remote assistance. You have to enable both.

Remote desktop works like a terminal server on every machine. Servers can have many sessions. Users (like windows xp/vista/7) can only have one session at a time. The person wishing to connect initiates a connection. When they login (using a local or domain account) they spawn a session just as if their monitor was the machines one. If you attempt to log into a computer that already has someone logged in, it kicks them off and shows them "this computer is locked and under use by such and such." you can kick them off with an admin account. If you use the same account details however you resume the current session.

Remote assistance is initiated usually by the client side. You send an invitation in an email or a file etc and another person accepts it and can see (and if given access by the client), control the computer. This is usually to fix a problem.

Remote desktop uses rdp. Remote assistance uses rdp for at least windows 7 but not sure about other versions. RDP=remote desktop protocol which means instead of transfering a video stream of the users desktop over the network, it transfers data like (window size x, position y, with bla bla bla) and the system on the other side redraws it so it's much faster.

This works great for admins mostly on your network. First your servers don't need a monitor/keyboard plugged in. They can connect to them from their own personal machines. Second, you can have your users use a terminal server to run programs and applications that they might not be able to run on their own machines. You also have the added cut of network traffic. If you open, work on and save a document on a terminal server, you will not be pulling down and pushing back a file every time you save.

I would highly advise against vpns. They invite people with low standards on their personal computers into a business enviroment. The only reason you should have a vpn is if you have a company split physically in 2 different locations or it is absolutely essential to be connected and you use a completely clean computer with strict regulations.

Away from the built in methods you now have the suites of remote viewing that use the vnc protocol. This involves taking images of your desktop and sending them over the network just like remote desktop. They run apart from remote desktop and can have as many sessions as you'd like as well as retaining a connection when a user logs out. They usually have their own security standards. There are many which include realvnc ultravnc tightvnc (comparison).

Half way inbetween you have things like logmein which work on a sort of "remote desktop protocol of their own" which has the speed of a rdp but the appearance or working of vnc. They work by having a constant connection to the logmein server. When you go onto their website you login via the website and with the computer having a constant connecto to the website, you connect via that connection to the computer and remote control it.


Advise: For local networks, fixing other peoples computers as well as remotly controling and setting up computers, have remote desktop enabled and use remote assistance.

Logmein has free accounts and is fairly popular and secure (as long as you keep good passwords).
Sorry for the long post i got a bit carried away.

KLow0329

Thanks Lisa and Wolfric.. But data protection is the biggest issue, even with the password protected.
For example, anyone can change and disable password on VNC without enter the old password.
Anyway, there are very good in providing online pc solution for many users. As I know, many companies are encouraging 'Flexible Working Hour', in another word... working for home few days per week... People can avoid heavy traffic, reduce fuel on trasportation and some also believe that it can improve performance on work.. er... I personally not really agree about it. But i am believed it greatly improved company operation system where the companies are heavily depending on Pc.
If anyone have anyone good point on this issue, please share, any personal experience can be other person valuable lesson.

Blowfish

wolfric wrote: »

I would highly advise against vpns. They invite people with low standards on their personal computers into a business enviroment. The only reason you should have a vpn is if you have a company split physically in 2 different locations or it is absolutely essential to be connected and you use a completely clean computer with strict regulations.

The easy way to prevent this by blocking all personal machines from accessing the domain. Then just give any user who is likely to be working remotely a laptop.

bhickey

KLow0329 wrote: »

For example, anyone can change and disable password on VNC without enter the old password.

The normal way to run TightVNC is as a service. Assuming that the user is NOT an administrator on the machine then they won't be able to change the TightVNC password.

Having users login with administrator privileges on their own machines is foolish and just asking for trouble.

Wolfric wrote:

I would highly advise against vpns. They invite people with low standards on their personal computers into a business enviroment. The only reason you should have a vpn is if you have a company split physically in 2 different locations or it is absolutely essential to be connected and you use a completely clean computer with strict regulations.

VPN's are not by nature insecure or dangerous except in the wrong hands. They are especially useful for remote support as they allow Remote Desktop and the various VNC's to work without having to mess around with firewalls. As Blowfish says, most businesses would typically provide the computers that employees would be using at home to access the VPN.

wolfric

Blowfish wrote: »

The easy way to prevent this by blocking all personal machines from accessing the domain. Then just give any user who is likely to be working remotely a laptop.

VPN's are not by nature insecure or dangerous except in the wrong hands. They are especially useful for remote support as they allow Remote Desktop and the various VNC's to work without having to mess around with firewalls. As Blowfish says, most businesses would typically provide the computers that employees would be using at home to access the VPN.

I think you've both got the wrong end of the stick. Work is a controlled environment(at least more so than normal). Home is not. technically it doesn't matter if you're using a vpn but you're far less likely going to bring in a home machine which you download and use all sorts of things on. You don't abuse and get access to that sort of thing at work unless you're work has as particularly lax rules. Also blowfish nothing to do with being on the domain. Being on the same network causes an issue.

bhickey

wolfric wrote: »

I think you've both got the wrong end of the stick. .....

Now girls, this isn't black and white. The point is that people who use VPN's should consider security as part of how they implement them. Just take the time to learn about them and then be careful.

ressem

Would disagree with wolfric.

The machine with VPN is provided by the company. It is as locked down as a machine in work, with install permissions just as limited. All internet traffic is routed through the company network proxy or not at all.
Something like SteadyState can keep things tidy.

Preferably all the same alerts are sent when updates are out of date as with a local work desktop. And some setups allow for security restrictions which block network access (network access protection/admission control).

It could, of course be compromised by removing the HD and connecting to a home PC.

Using a certificate based VPN to a DMZ, then SSH/term srv to connect to a work machine seems fairly standard for most places I've done work for technically oriented small-med businesses.

On the other hand, supporting wolfric and lax users...
Have you seen the citrix XenClient beta stuff where you can have completely independent operating systems running simultaneously on the same machine? Home environment + work on the same machine, with only a key combo between? That should lead to some interesting accidental search attempts appearing in proxy logs.
But also should allow running a TPMed company supplied operating system VM image that will not boot if changed.

I would have thought that places allowing direct terminal services/logmein/gotomypc would have worse issues than the above VPN scenario. We've seen how the remote assist is being used by scammers described in other threads.