How secure is TeamViewer for simple remote support?

  • I'm deploying a web-based ERP system for a customer, such that both the server and the client machines will be inside the customer's intranet. I was advised in another question not to use TeamViewer to access the server, using more secure means instead, and so did I. But now I'm concerned about whether or not TeamViewer would be appropriate for the client machines, which are not "special" to this system in particular, but nonetheless I don't want to lower their current security, neither I want to compromise the computer on my end.

    My question, then, is whether or not TeamViewer is "good enough" for simple remote desktop support, where it will be used simply to assist the users in the usage of the system, and whether or not I must take additional measures (like changing the default settings, changing the firewall, etc) to reach a satisfactory level or security.

    Some details:

    1. I already read the company's security statement and in my non-expert opinion all's fine. However, this answer in that other question has put me in doubt. After some research, UPnP in particular does not worry me anymore, since the feature that uses it - DirectIn - is disabled by default. But I wonder if there are more things I should be aware of that's not covered in that document.

    2. The Wikipedia article about TeamViewer says the Linux port uses Wine. AFAIK that doesn't affect it's network security, is that correct?

    3. Ultimatly, the responsibility of securing my customers' networks is not mine, it's theirs. But I need to advise them about the possibilities of setting up this system, in particular because most of them are small-medium NGOs without any IT staff of their own. Often I won't be able to offer an "ideal" setup, but at least I wanna be able to give advice like: "if you're installing TeamViewer in this machine, you won't be able to do X, Y and Z in it, because I'll disable it"; or: "you can install TeamViewer in any regular machine you want, it's safe in its default configuration; only this one *points to server* is off-limits".

    4. My choice of TeamViewer was solely because it was straightforward to install in both Windows and Linux machines, and it just works (its cost is accessible too). But I'm open for other suggestions. I'm low both in budget and specialized staff, so I'm going for the simpler tools, but I wanna make a conscious decision whatever that is.

    I prefer a self-destructing, on-demand solution like join.me.

    Join.me is a Logmein service that isn't exactly linux friendly. Something to keep in mind if you aren't in love with wine.

    @Joel I'm in love with wine, although I find mixing it with work makes me incredibly unproductive

    I would recommend deploying on premise RHUB remote support appliances. They work from behind your company’s firewall, hence are much secured as compared to hosted services.

    UltraVNC offers a self-destructing client-initiated connection tool that's VNC compatible as well for remote-viewing Windows clients.

  • Rory McCune

    Rory McCune Correct answer

    9 years ago

    There's a couple of differences between using a 3rd party supplier (such as teamviewer) and a direct remote control solution (eg, VNC)

    Team Viewer has advantages in that it doesn't require ports to be opened on the firewall for inbound connections, which removes a potential point of attack. For example if you have something like VNC listening (and it isn't possible to restrict source IP addresses for connections) then if there is a security vulnerability in VNC, or a weak password is used, then there is a risk that an attacker could use this mechanism to attack your customer.

    However there is a trade-off for this, which is that you're providing a level of trust to the people who create and run the service (in this case teamviewer). If their product or servers are compromised, then it's possible that an attacker would be able to use that to attack anyone using the service. One thing to consider is that if you're a paying customer of the service, you may have some contractual come-back if they're hacked (although that's very likely to depend on the service in question and a whole load of other factors)

    Like everything in security it's a trade-off. If you have a decently secure remote control product and manage and control it well then I'd be inclined to say that that's likely to be a more secure option than relying on a 3rd party of any kind.

    That said if the claims on TeamViewers website are accurate it seems likely that they're paying a fair degree of attention to security, and also you could consider that if someone hacks TeamViewer (who have a pretty large number of customers) what's the chance that they'll attack you :)

    Very insightful! Right now I'm inclined to trust TeamViewer, my own lack of expertise on this subject might make a custom solution more risky than a ready-made one, short term (as long as that solution is a good one, naturally). But I'll make sure to weight those arguments in my future strategy.

    +1 for "everything in security is a trade-off". This is an answer to many questions

    I would not be so quick to discard the possibility of being a target just because, “what’s the chance”

    @micsthepick There is a smiley. I think it was sarcasm, because obviously every teamviewer customer has a problem if the teamviewer service is compromised.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM