We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


Hamachi remote user security concerns

Medium Priority
Last Modified: 2013-11-15
I have Introduced Hamachi to my network, and there are a number of users that are loving it.

However i do have a building concern about its security... Im not worried about intercept traffic the encryption and hanshake is pretty solid from research done. however if i have hamachi running as a server and it joins a network that links it to our internal server how secure is that information.

how much can an attacker that gains physical acces to one of our machiens that has hamachi installed do?

Can he join the network? Gain the network credentials so he can connect from his machine? and in trying to keep the hamachi experience seamless is there anything i can to to prevent some of this.

I know any scrip kid out there can hash the local sam file and do what they want to local users. however what if i remove them entirely? not just disable so only Domain users exist? can the same attack be used? and/or can they get onto the machine and therefore have access to the hamachi network?

also if they were to just physically load the drive what can they learn abiout my hamachi network? can they get my "network/password"?

Any discussion on this is really appreciated.

As this level of physical security is not discussed much so far form my reading.

the best i get is from a Security now interview with Steve gibson

but they dont talk to much about this exact scenario, except to reasure me that the keys to my kingdom are not readily available. but they are there in a form.

I have a topic running on the hamachi forums as well as here.
Watch Question

Ron MalmsteadInformation Services Manager

Hamachi is just like any vpn, in the sense that,...all the machines joined act as if they are on the same network.

The network security of those connected machines, is the same security that would apply if they were actually physically inside your building.

Now if you have another domain or network for which these users are not supposed to have access,...then you should avoid putting hamachi on any machines in the other network.  Hamachi will not route to other networks that are simply connected to your lan...it will only have access to machines on the same hamachi network.

So my advice would be to evaluate which machines/servers they should have access to, and only put hamachi on those machines/servers.   If you need the servers to have hamachi for whatever reason,...you can always create a seperate "hamachi network", for your own administrative purposes.
Ron MalmsteadInformation Services Manager

>......another thing,...if they have a username/password on your active directory network, and you have hamachi running on a domain controller,..then they would have permission to join your domain over hamachi.


This is all as expected, the purpose is to bring them inside to the AD so they have remote acces to digital assets from their remote location.

I am more concerned if the laptop that was joined  to the domain in the fashion were stolen or lost for example. and what i can do to prevent something from happeneing in that respect.

Part of this is is also what can be done to secure them from this event if anything?
Ron MalmsteadInformation Services Manager

If a laptop were stolen, for example....the first thing you would do is "EVICT" the machine from the hamachi network, or simply block them.  



so in essence the laptop if stole and fully unsecure then?
Ron MalmsteadInformation Services Manager

If a laptop is stolen...the laptop itself is totally unsecure....anyone with minor technical skills would know how to reset the local admin password to gain access to the machine....  However, if you are aware of the theft, you can mitigate your risk by 1) evicting the machine from the hamachi network, 2) deleting the computer account from active directory, 3) change passwords for hamachi and the user who's laptop was stolen.


if i remove all local accounts and/or drop them down to non admin access, would this help?

also AD accoutns are cached but more secure?
Information Services Manager
It wouldn't make a difference....

If someone has physical access to the machine, they can easily break into the machine...however, gaining access to your network is another story...  that access is controlled by your active directory user accounts / permissions...

The same scenario would apply whether you have hamachi installed or not....  if the laptop is stolen, then you would want to make sure the machine is deleted from AD, and the user who used that machine get's a password reset.

A cached logon would make no difference, once a password is reset.

There are also other options for tracking, recovering, or securing machines that are used "remotely", such is the case with most laptops.

1) encryption....
Encrypt the hard drive....then it would be impossible for someone to "hack it" without knowing the administrative password.  PGP, or windows EFS.
2) tracking software - here's on of many services out there... http://www.absolute.com/solutions-theft-recovery.asp
Dell has a service for this also..
here's another....

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Ron MalmsteadInformation Services Manager



given the loose nature of the question the information helped me get a good undedrstanding of what can happen.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.