• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1126
  • Last Modified:

Remote PC Access Software: Vendor Claims vs Corporate Computer Use Policies

Products such as GoToMyPC and PCNOW  and being advertised  (large newspaper ads in local papers) as  allowing corporate workers to connect remotely to their work PC, and or connect to their home PC from work.  There is no mention on the websites or  in the ads that users may need to check their  company's computer use policies before using the products.  And if a user connects to a home PC from work, then no software may need to be installed on the work computer, so the user might feel that the use of the product is no different than connecting to a website.   However, many corporate computer use policies may not support the use of these products, and corporate IT folks may have issues.   Here are my questions:

1.  Do these products pose any risks to a corporate network, assuming they only use existing open ports in the corporate firewall?  If so, why? Does it matter if the connection is inbound or outbound on the corporate network?
2.  How big of an issue are these products for most companies in terms of computer use policy?  What typically happens to an employee if they use this product

3. If the company has issues with these products, are they able to block their use?
4.  Do the vendors of these products (Citrux and others) face liability if they continue to encourage employees to use the products, without any warning about checking company policy first?  It seems to me that either Citrix is out of bounds with their advertising campaign, or  corporate use policies should be amended to allow for the use of these products?  Which is it?

5.  One company I am aware of has a specific issue with "tunneling software".   Per below, Citrux mitigates this issue by states that "Remote users do not have tunneled access to the corporate network - only to a single desktop PC and its level of network access. "  So would this mitigate the company's concern with respect to tunneling software?

Here is some info from the gotomypc website:

Maintains Firewall Integrity Both controlled and controlling computers receive all communications through an outgoing TCP connection using protocols and ports that can transparently transit almost all firewalls. No firewall changes are required, and you do not have to bypass or compromise your corporate or branch office firewall or the firewall at the computer where you are working.
Carefully Controlled Network Access GoToMyPC leverages the OS-level access controls already in place on your corporate LAN. Remote users do not have tunneled access to the corporate network - only to a single desktop PC and its level of network access.

Thanks for your responses
  • 2
3 Solutions
GoToMyPC's only advantage over the myriad of other remote control protocols is that it runs entirely in a web page over port 80.  That means that no configuration changes are necessary on the client side in order to access the remote PC (although you would need to make a change on the host side).

Microsoft Remote Desktop protocol (as well as Citrix) do pose a security threat because they allow not only remote control of a host PC, but also the transfer of files between them.  This would allow an unsecure connection by which a person could leak sensitive information outside the corporate network, or download a virus from a PC that does not meet the company's security protocols.

 With products like GoToMyPC.com, there is no security risk because files cannot be exchanged between the computers (as far as I know.  I may be wrong on this, so definitely back this up with hard evidence).  The threat to corporate security is low, because information cannot leave the corporate network.  It is mostly a one-way connection.  Still, it would violate the TOS of most companies simply because there is a possible threat to security that hasn't been identified yet, and might possibly be an uncontrolled access point.
BTW, it is easy to control access to any of these services via a firewall.  RDP, Citrix, and VNC all need to operate over their own ports which can be filtered out.  GoToMyPC uses port 80, however, so if a company wanted to block access to it, they would need an exception on the firewall to block access to the GoToMyPC.com domain.  Pretty much every firewall that's worth a damn (and even some that aren't) support this ability, however.
For the most part, many companies oppose the use of these products because they prefer to use VPN connections that can be better controlled by the company. A product like GoToMyPC, MyWebExPC, and LogMeIn, IF the company didn't block them, would allow a user to bypass the company firewall and connect to a corporate resource from an external location... WITHOUT requiring much for additional authentication and auditing. There is no audit trail to indicate who connected, from where, and accessed what resources. All connections would look like the user sat down at his machine and logged in.

Communications with these programs are supposed to be secured, and the way they get around the firewall issue is that the client running on the workstation establishes an outbound connection to a central server that "holds" that connection active until a user attempts to log in. When a user logs in and selects a machine to log into, their session is sent down the established path that already exists, so basically there is no new connection coming in from outside the company. The session is already established and held open.

Let's see what answers I have for your questions:

1. Unknown. However it is fairly unlikely that this is a security issue... UNLESS someone captures keystrokes somehow or can impersonate the connection between the user on the Internet and his connection back at his office.
2. If the company defines a policy that says that employees should not use these services, it should be the company's responsibility to prevent their use. Don't put a jar of honey in front of a bear if you don't want him to eat it. Take it away and he can't even get to it.
3. Yes. It is very easy to block access to these services.
4. Doubtful. A company that promotes these products is in no more of a position of liability for suggesting that people can use their product than any other company that makes software. If it's against your corporate policy to use the product, then the developer can't be responsible if an employee violates that policy.
5. Also doubtful. In all reality, connecting to a single machine is still connecting via a tunnel. Notice in your quote it says "to a single desktop PC and it's level of network access". Once the user is connected to that single machine, what stops him from then connecting to others all over the network?

service07Author Commented:
Good feedback...I will wait a bit and then provide points

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now