Remote PC Access Software:   Vendor Claims vs Corporate Computer Use Policies

Posted on 2007-10-16
Last Modified: 2013-11-30
Products such as GoToMyPC and PCNOW  and being advertised  (large newspaper ads in local papers) as  allowing corporate workers to connect remotely to their work PC, and or connect to their home PC from work.  There is no mention on the websites or  in the ads that users may need to check their  company's computer use policies before using the products.  And if a user connects to a home PC from work, then no software may need to be installed on the work computer, so the user might feel that the use of the product is no different than connecting to a website.   However, many corporate computer use policies may not support the use of these products, and corporate IT folks may have issues.   Here are my questions:

1.  Do these products pose any risks to a corporate network, assuming they only use existing open ports in the corporate firewall?  If so, why? Does it matter if the connection is inbound or outbound on the corporate network?
2.  How big of an issue are these products for most companies in terms of computer use policy?  What typically happens to an employee if they use this product

3. If the company has issues with these products, are they able to block their use?
4.  Do the vendors of these products (Citrux and others) face liability if they continue to encourage employees to use the products, without any warning about checking company policy first?  It seems to me that either Citrix is out of bounds with their advertising campaign, or  corporate use policies should be amended to allow for the use of these products?  Which is it?

5.  One company I am aware of has a specific issue with "tunneling software".   Per below, Citrux mitigates this issue by states that "Remote users do not have tunneled access to the corporate network - only to a single desktop PC and its level of network access. "  So would this mitigate the company's concern with respect to tunneling software?

Here is some info from the gotomypc website:

Maintains Firewall Integrity Both controlled and controlling computers receive all communications through an outgoing TCP connection using protocols and ports that can transparently transit almost all firewalls. No firewall changes are required, and you do not have to bypass or compromise your corporate or branch office firewall or the firewall at the computer where you are working.
Carefully Controlled Network Access GoToMyPC leverages the OS-level access controls already in place on your corporate LAN. Remote users do not have tunneled access to the corporate network - only to a single desktop PC and its level of network access.

Thanks for your responses
Question by:service07
    LVL 14

    Assisted Solution

    GoToMyPC's only advantage over the myriad of other remote control protocols is that it runs entirely in a web page over port 80.  That means that no configuration changes are necessary on the client side in order to access the remote PC (although you would need to make a change on the host side).

    Microsoft Remote Desktop protocol (as well as Citrix) do pose a security threat because they allow not only remote control of a host PC, but also the transfer of files between them.  This would allow an unsecure connection by which a person could leak sensitive information outside the corporate network, or download a virus from a PC that does not meet the company's security protocols.

     With products like, there is no security risk because files cannot be exchanged between the computers (as far as I know.  I may be wrong on this, so definitely back this up with hard evidence).  The threat to corporate security is low, because information cannot leave the corporate network.  It is mostly a one-way connection.  Still, it would violate the TOS of most companies simply because there is a possible threat to security that hasn't been identified yet, and might possibly be an uncontrolled access point.
    LVL 14

    Assisted Solution

    BTW, it is easy to control access to any of these services via a firewall.  RDP, Citrix, and VNC all need to operate over their own ports which can be filtered out.  GoToMyPC uses port 80, however, so if a company wanted to block access to it, they would need an exception on the firewall to block access to the domain.  Pretty much every firewall that's worth a damn (and even some that aren't) support this ability, however.
    LVL 13

    Accepted Solution

    For the most part, many companies oppose the use of these products because they prefer to use VPN connections that can be better controlled by the company. A product like GoToMyPC, MyWebExPC, and LogMeIn, IF the company didn't block them, would allow a user to bypass the company firewall and connect to a corporate resource from an external location... WITHOUT requiring much for additional authentication and auditing. There is no audit trail to indicate who connected, from where, and accessed what resources. All connections would look like the user sat down at his machine and logged in.

    Communications with these programs are supposed to be secured, and the way they get around the firewall issue is that the client running on the workstation establishes an outbound connection to a central server that "holds" that connection active until a user attempts to log in. When a user logs in and selects a machine to log into, their session is sent down the established path that already exists, so basically there is no new connection coming in from outside the company. The session is already established and held open.

    Let's see what answers I have for your questions:

    1. Unknown. However it is fairly unlikely that this is a security issue... UNLESS someone captures keystrokes somehow or can impersonate the connection between the user on the Internet and his connection back at his office.
    2. If the company defines a policy that says that employees should not use these services, it should be the company's responsibility to prevent their use. Don't put a jar of honey in front of a bear if you don't want him to eat it. Take it away and he can't even get to it.
    3. Yes. It is very easy to block access to these services.
    4. Doubtful. A company that promotes these products is in no more of a position of liability for suggesting that people can use their product than any other company that makes software. If it's against your corporate policy to use the product, then the developer can't be responsible if an employee violates that policy.
    5. Also doubtful. In all reality, connecting to a single machine is still connecting via a tunnel. Notice in your quote it says "to a single desktop PC and it's level of network access". Once the user is connected to that single machine, what stops him from then connecting to others all over the network?


    Author Comment

    Good feedback...I will wait a bit and then provide points

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    #Citrix #Citrix Policies #XenDesktop #VDI #POC #Citrix Univeral Printer Driver #Citrix UPD
    Citrix XenDesktop 7.6 Citrix Policies Graphics
    How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now