Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

How does Remote Assistance access a computer behind a router's firewall without any firewall configuration?

Following on from this question: http://www.experts-exchange.com/Networking/Q_21114583.html

How is that without doing any port forwarding a computer on the internet is able to access a supposedly secure xp machine sitting behind a firewall with nothing but the windows xp software to authenticate the access request from the remote assisting computer?

How does this work under the hood?
0
micknorman11
Asked:
micknorman11
  • 4
  • 2
1 Solution
 
DVation191Commented:
Remote assistance uses Terminal Services technology, allowing a helper to assist you via a remote Terminal Services session. Remote Assistance uses a simple, secure process in establishing a connection between you and a helper. The request is encrypted in a public key and sent using XML. As long as your router is letting the Remote Desktop ports through, remote assistance will work.

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rmassist.mspx
0
 
DVation191Commented:
Additional Notes:

Configuring Port 3389 to Enable Remote Assistance
Remote Assistance runs over the top of Terminal Services technology, which means it needs to use the same port already used by Terminal Services: port 3389.

Note: If the person who is being helped is behind a firewall, NAT, or ICS, Remote Assistance will still function as long as the person being helped initiates the session via Windows Messenger. However, as stated above, Remote Assistance will not work in cases when the outbound traffic from port 3389 is blocked.

Using Remote Assistance in a Home Network
If you are using Personal Firewall or NAT in a home environment, you can use Remote Assistance without any special configurations. However, if you have a corporate-like firewall in a home environment, the same restrictions apply: you would need to open Port 3389 in order to use Remote Assistance.
0
 
micknorman11Author Commented:
I neglected to mention that the remote assistance was working before I got the router configured to support remote desktop (ie enabled the port forwarding)
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
DVation191Commented:
Most consumer-grade routers do not have the firewall enabled by default. Even if they do, they may not be blocking those ports. If you get port-scanned from the outside, you can see which ports you have open and which are closed...
Shields Up!
http://www.grc.com/x/ne.dll?rh1dkyd2
0
 
micknorman11Author Commented:
Hrm ... I'll go check out the router asap. I thought the firewall was on, but I could have overlooked it. Best double check.

I was just reading another EE question and discovered MAC filtering doesn't prevent sniffing wireless routers either - ACK!

There's at least one change I'll be making on the router - enable WEP.

I've been told 802.11b is piece of cake to bust into anyway ... I'll have to look further into that.

Back in a couple of days ... tks for the input so far :)
0
 
DVation191Commented:
yea from a linux box, even WEP is no match...
=)
0
 
ccceqo2Commented:
What I understand is:
You were using a router performing NAT, the standard setup to let multiple PCs share an internet connection.
You had no port forwarding configured on this router.
But you still managed to remote assist one of the PCs behind this router.

And you want to know how this could work?

Normally, when the requester has port forwarding enabled, anyone could send a TCP request to their IP address and their router would forward it through to the requester. When the port is blocked, the requester has to send out the TCP request, because this is their only way of establishing a connection with hosts outside their local network.

There could be two ways to do this, one if the person providing assistance had THEIR router/firewall configured to allow incoming port 3389 traffic to reach them, and the other if the person providing assistance did not ie. both users were blocked off from incoming requests.

1) If the assister has THEIR firewall configured, the software accepts the request and then looks for the incoming request from the requester. Once the assister has accepted this request, a link is established between the two PCs. This is a clever hack to allow TCP requests to be established in the opposite direction to normal and is used by all sorts of software like ICQ, and file sharing programs.

2) If neither have their firewalls configured, then another external host with its firewall properly configured will be required to assist. The requester sends TCP requests to this third party, and when the assister accepts the request, they too send TCP requests to the third party. When the third party host sees the matching incoming requests, it accepts them both and "joins" them by relaying traffic from one TCP session to the other. The third party host will need to handle all traffic involved in the remote session. This hack is also used to allow programs like ICQ to run chat session between users who are all behind firewalls.

I hope you understand this overview of what is going on. To understand all the details you need to study how the TCP/IP protocol stack is designed and how it operates.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now