SN 806: c.o.m.b

Beep boop - this is a robot. A new show has been posted to TWiT…

What are your thoughts about today’s show? We’d love to hear from you!

@Leo another case where we need some lower case letter somewhere in the title to convince Discourse to allow the rest to remain upper case.

I’m guessing that the water processing plant is behind a firewall, but it is the configuration that counts.

TeamViewer has to be connected to the Internet, that is how it works. The host running on a PC registers itself with TV’s servers and the client wanting access has to contact TV and see if the host is online, then it can connect.

IP filtering is very difficult. If you are using it to manage a remote location from the HQ, you can whitelist the HQ IP address. But if it is for supervisors working from home, you would have to whitelist every ISP and every mobile carrier that is used by your employees. You could blacklist all IPs outside the region, but with IP spoofing and VPN providers, you could probably get around it fairly easily.

We use TV at work for our users. But, TV is configured to not allow us direct access to the PCs, the user has to accept our request to attach to their PC. We can access it, if the PC is locked, but then we need a valid username and password to log onto the PC. Secondly, none of our production line PCs are on an Internet connected network. They cannot be reached with TeamViewer, they still require a physical visit to the site. Remote monitoring stations do exactly that, they monitor the production, but they cannot affect it, they are in essence read-only.

TV (and similar products) are a great tool and have some good management capabilities for managing large fleets of PCs. But it needs to be properly configured on the PCs to be monitored. A plain install is not very safe, you need to follow best practices to configure it properly.

The same goes for the firewalls. They usually default to an “all open” state, because that is easiest for the user, everything still works whilst they start to configure it. They should default “all closed” and force the user to decide on what they actually need. But that would put most users and admins off.

The last time I set up a firewall, we locked everything down and I spent over a month properly configuring it and testing it, before we switched it into production. A lot of place can’t or won’t invest in that sort of configuration and testing, and the resulting levels of restriction.

1 Like