Hi All,
Right now we have about 80 users in the organization. We currently offer users TeamViewer so they can have access to their corporate computer from home if need be. We are now evaluating the security and practicality of TeamViewer as some security flaws have arisen.
Do you guys have any better alternatives to TeamViewer for users remote access to THEIR corporate machine? We also have a SonicWall VPN appliance with virtual office, but I can’t really see an easy implementation to their workstation remotely.
Thanks!
7 Spice ups
adamknight
(ITcrackerjack)
2
If you already have a VPN appliance, I would just use that in conjunction with RDP. Once they connect to the VPN, they would just need to know the name/ IP of their machine.
Other than that, maybe LogMeIn Central as you can create users and give them access. But that seems like it would be hard to maintain for 80 users.
2 Spice ups
Do you have a server that can utilize sstp vpn? And if the end users have windows 7 sstp setup is built in. If so it is all free and easy to setup. Here is a link that may help.
1 Spice up
adam223
(Adam223)
4
We our rolling out Pertino right now. You should check it out. http://pertino.com/ They gave us a nice demo and answered all of our questions.
First I will ask if this “security risk” is someone asking the hypothetical, “what if their servers get hacked” question? If so then be sure to understand and explain to this person the trade off in security between using a hosted service like Teamviewer and a local resource like UltraVNC.
Which leads me to, have a look at UltraVNC if you don’t want a hosted remote access solution.
The bulk of it comes down to this, do you trust that the vendor is reputable and does their best to ensure their security is up to date vs are you willing to start opening ports into your network to allow a local remote access solution to work?
Thanks for the above guys!
@ITcrackerjack - Our main concern with that is if users dont have any protection on their PC, they might infect our network. My thought originally was to use Virtual Office (Sonicwall) and RDP from there. But you have to create a shortcut to a location you would like to RDP to, i.e. a terminal server.
@Chakar - My only issue with SSTP is that it still uses a PPTP VPN layer from what I understand and PPTP isn’t that secure…
@Adam223 - Looks like an interesting concept, I will definitely take a look.
@Evolve - The security risk we are facing is this. We have the same password for all of our TeamViever clients and if someone were to login with just file transfer into that computer, they will have full access to all the network drives and local drives on our network/machine. If someone were to get the TWID and the password, then they can potentially steal documents and/or infect machines by transferring to local drives. We have tried to use Symantec Endpoint to lock that down, but it seems to have broken teamviewer upon reboot. We have looked at VNS, but that’s more of an internal support tool IMO…
2 Spice ups
Thanks for the shout-out, Adam, and welcome to Pertino.
Max, here’s an interesting way to use Pertino in your situation. Since you can spin-up multiple virtual networks, you can deploy a virtual network for each user that only has their home and office machine on it. Now, a user can user their “personal VPN” to access their office machine from home using native remote desktop (RDP) functionality. This approach would logically isolate user’s personal networks from your corporate network (separate address space, end-to-end encryption, etc).
In the future, you could also potentially replace your SonicWall VPN (which I assume is on your office machines) by creating a Pertino virtual “business” network and adding all of your user’s office machines and any servers you want to provide remote access to. Each office machine would then have two virtual networks – personal and business, and users can switch between the using the Pertino app menu in the taskbar.
Caveats: 1) We don’t support XP. 2) RDP is not supported on Windows Home Editions. 3) Devices cannot be on more than one network at the same time (but you can switch across networks). 4) Talk with us first to ensure setup goes smoothly
HI
Teamviewer is great for many things, but to be trusted as a remote solution into my network. I’d rather not.
VPN opens a big highway into the network, so we do not want this. Yes VPN can be filtered, but no so easy to manage.
I use MS Remote desktop with a requirement for a personal digital certificate before letting users in. Quite secure I think.
Here are a 1-2-3 walk-trough of what I did to enable RDP in a secure way.
- Use GPO to enable RDP to users desktop
- Issue USB smartcards with personal certificates. We use devices from Gemalto but other vendors exist also
- Setup a MS terminal services gateway, only requires a machine with IIS enabled.
- Configure RDP gateway to allow only connections when a valid cert is presented
- Enable needed traffic in the firewall(s)
You can omit the certificate part and rely only on username/password if it is sufficient for your security requirements. Or if you do not have a MS Certificate infrastructure in place.
One neat thing about this is that when you delete a user from AD his remote access is automatically disabled.
Cheers Niels
You can secure your VPN connection following this steps(though they are not very fast to configure):
Basically when you create a VPN account for a user you assign an IP address which will be stick to this account.
For example you’ve created and account “test” which received and ip - 10.123.122.23 in your entire network(allow only one connection at a time if possible).On your firewall you must create an Access List for this IP address that will only allow connection via rdp to workstation that this user owns in the company, all other connection should be denied. And I hope your users don’t have administrator rights on their company workstations. After this settings your VPN connection will be secured from the network threat.
1 Spice up
Max, you may want to consider an RHUB remote support server. (Disclaimer: I work for RHUB). You can have as many unique users as you want on a RHUB appliance, so each user could set up their own Remote Access session and provide their own unique password. LDAP can be used to auto-create users. For security, all traffic can be SSL encrypted. RHUB supports all Windows OS’s back to Windows 2000. And we allow Remote Support on Mac 10.4 and newer. Also, our iPad app lets you remotely support computers.
Contact me and I can set you up with an unlimited trial account.
We have our users VPN in and then open an RDP session to either their machine or to our terminal server.
This can be easily done with Remote Utilities. The remote module (Host) is installed on the target workstation and then it can be accessed from within the LAN, and out of the Internet by anyone who knows Host access credentials set during installation.
