Giving remote control access to few machines

ashima

Hello everyone,

We have around 500 machines in the network. At times a remote session has to be provided to certain vendors to help troubleshoot a machine. We have a pfsense firewall (2.4.2) with squid (SSL Mode) and Squidguard. The remote control software are denied with squidguard. So teamviewer, anydisk, ammy admin like software don't work. But at times it becomes necessary to give remote access to the vendor. So I have thought of a solution. I would like to hear your input.

 Install a simple xubuntu desktop acting as UltraVNC Repeater behind firewall on a separate  port other than the LAN. Do a port forwarding in firewall to ubuntu server.  Allow the vendors to access the Ultra VNC viewer to access the Ultra VNC Repeater which will further redirect to UltraVNC Servers on LAN. 

I would like to know any others pointers or suggestion. The vendors are not ready to install Openvpn client to do a VPn connection as they find it quite confusing. We tried but it doesn't work. ( For that we had to take remote on vendors pc and install OpenVPN client on that :)

Any suggestion ?
Regards,
Ashima

KOM

@ashima said in Giving remote control access to few machines:

The vendors are not ready to install Openvpn client to do a VPn connection as they find it quite confusing.

1. Run OpenVPN Windows Installer.
2. Run OpenVPN client
3. Import config file
4. Connect and supply username/password

(* - On Linux/MacOS it's even easier since the client is preinstalled. You just need to import config.)

If they are confused by this four-step process, they would have no business doing anything on my network. They would rather you introduce a security hole in your network due to their laziness or lack of knowledge. Not acceptable if they work for you.

ashima

Thank you @KOM for quick response. We tried all that but these vendors are basically non IT people. They only know how to tune their software. There are few practical diffculties :

1. The person doesn't have admin rights (OpenVPn needs administrative rights to be installed n run) on pc with which he does a VPN connection,
2. The person n pc keep changing, so we keep getting repeated calls to help them connect.
   And it's not 1 vendor there are around 50 of them.
   So it isn't working with them. I myself use openVPn to connect from remote.

So thought of putting xubuntu machine. ( Just to minimize the damage). Is there any other solution that can be implemented.

ashima

Just read OpenVPN 2.4.6 have the ability to run OpenVPN GUI without administrator privileges but we are stuck to OPenVPN 2.3 as most of the vendors are still using windows XP.

KOM

Then you end up in a similar boat, where you have to instruct them on how to install & use VNC...

If this is the only option, then at the very least you will need to craft your port-forward so that it only allows inbound connections from a trusted IP address or subnet.

NogBadTheBad

@ashima

1. The person doesn't have admin rights (OpenVPn needs administrative rights to be installed n run) on pc with which he does a VPN connection,

2. The person n pc keep changing, so we keep getting repeated calls to help them connect.

Why are 1 & 2 your issue you don't run the vendors support ?

Document what they need to do and pass it on to the vendors IT support.

ashima

@kom said in Giving remote control access to few machines:

Then you end up in a similar boat, where you have to instruct them on how to install & use VNC...

If this is the only option, then at the very least you will need to craft your port-forward so that it only allows inbound connections from a trusted IP address or subnet.

These guys are quite familiar with VNC.

So what are the points I need to take care.

"Allowing inbound connections from trusted Ip' --- may not be always possible. Shall try.
Is there any other points that I can take care.

The reason for opting for xubuntu than windows machine is to make it more secure. Also it will be on separate subnet than the rest of the machines.

KOM

@ashima said in Giving remote control access to few machines:

"Allowing inbound connections from trusted Ip' --- may not be always possible. Shall try.

I'm pretty sure it's possible if you insist "No access without knowing your IP address in advance."

The goal is to minimize the attack surface as much as possible. That means having the bare minimum services exposed to the public net, and whitelisting those addresses who want to get into your network. That's about all you can do.

johnpoz

@nogbadthebad said in Giving remote control access to few machines:

Document what they need to do and pass it on to the vendors IT support.

Exactly!!! They need to be able to connect securely to your network... Or they need to get their butts on site.. Its that freaking simple..

ashima

Thank you all for your responses.

I understand the risk in doing so... but the management is quite ignorant of these attacks. They just want the work to be done. (In fact ,the previous IT team had kept port 3389 open for rdp to their server. They were just lucky enough not to get any attack). It was a big task for me to convince them to put a pfsense firewall.

Anyway let me quickly summarize points :

1. Putting up a xubuntu machine which will act as a UltraVNC repeater proxy between UltraVNC Server n Client.

2. Xubuntu machine on a separate subnet than rest of the LAN.

3. Putting firewall rules such that communication between Xubuntu subnet and LAN subnet is only to specific vendor supplied machine and not rest of the machines on LAN.

4. Firewall rules to stop all communication to/from xubuntu machine during non office hours.

5. Restricting inbound connections from trusted ip.

6. Last but not the least changing the default VNC port.

Is there any thing else I can add....

Thank you.

johnpoz

@ashima said in Giving remote control access to few machines:

They were just lucky enough not to get any attack

That you are aware of - your whole network could be compromised currently if someone guessed your top secret user account and password to rdp in.. Since it was for vendor support it was prob something stupid simple ;)

Restricting inbound connections from trusted ip.

This is a good idea for sure..