A-to-Z Index

Computing Homepage

Information Technology Help Desk

Mon -Thu: 8:00am -9:00 pm
Friday: 8:00am - 5:00pm
Saturday: Closed
Sunday: 3:00pm - 9:00pm

(when classes are in session)

Exceptions for the year


 

Remote Control Software and Services

This information is not an endorsement of particular products, technologies, or their use. It is to make you aware of the risks that go hand in hand with their use. Any use of such technologies that may have a significant impact on unit operations or sensitive JMU or constituent data or services must follow the Project Selection and Management standard including submission of a Project Initiation Questionaire (PIQ).

Remote Control software or services allow you to take control of a desktop or other device over the network. They enable remote support, remote administration and monitoring, and/or access to programs, data, or services (for which you've been authorized remote access) that might not otherwise be available. They also add risk:

  • an additional path to allow unauthorized parties access to those same programs, data, and services
  • an additional way JMU Protected or Highly Confidential Data may find its way to unauthorized or more vulnerable devices or storage locations

Generally speaking, once a remote control service is enabled, all that stands between an attacker and control of your device is a password. In most cases, control of your device will provide access to your all your data and accounts either directly or indirectly. This can occur through cached passwords, single sign on, or breaching your computer's security.

JMU computing standards require more stringent password controls than those enforced by many remote control services. In such cases, it is up to you to maintain passwords in accordance with JMU standards.

Paid versions of some products offer enhanced authentication options. These include using a list of one time passwords or emailed passcodes. These options reduce the risks associated with reusable passwords which often fall prey to phishing attacks, hacked servers, and viruses.

Things to consider when contemplating use of remote control software or services:

  • What university policies and standards govern the use of these technologies and associated university data and services?
    • Many of these products support transferring files. Understand the Data Stewardship policies and standards for accessing, protecting, and storing JMU Protected and Highly Confidential Data.
    • Such services may not be used to bypass policies, procedures, or standards meant to restrict remote access to services such as those on the Restricted Systems list (i.e. Peoplesoft, Advance, AiM)
  • Do the devices I use (e.g. home computer, tablet, or smart phone) to control a JMU computer put JMU or constituent data or services at additional risk?
  • What security measures beyond a password does the software or service offer?
  • Does a person in physical proximity to the computer being controlled see the activity on the screen?
    • will someone walking by the computer while it is being controlled be able to see open documents and activities?
    • does the remote operator know they're being remotely observed/controlled?
  • Best practices suggest that each person accessing the computer have their own unique account and password
  • Best practices suggest that the account not have administrator or root privileges
  • Best practices suggest that services be disabled when they're not necessary
  • Communications sessions should be encrypted when traversing untrusted networks as policy dictates. Login credentials must be protected end to end.

Faculty and staff should check with their individual departments for software selection, configuration information, and local policies regarding remote control software use.

 

Some common remote control programs and services include:

 

Product Type Product Notes
GoToMyPC Browser Agent commercial, provides end to end encryption
LogMeIn Browser Agent commercial, provides end to end encryption (free version being discontinued)
WebEx Browser Agent commercial, provides end to end encryption if configured
TeamViewer Browser Agent free and commercial versions, provides end to end encryption
join.me Browser Agent free and commercial versions, does not offer end to end encryption protection due to need to support multi-party sessions, sessions are protected from endpoints to vendor servers but traffic is unencrypted once it hits vendor servers (join.me architecture whitepaper page 6)
Microsoft Remote Desktop Connection to server on the controlled machine requires a hole to be configured in the host firewall; for connections from off-campus to on-campus machines the SSLVPN gateway must be used
VNC Connection to server on the controlled machine requires a hole to be configured in the host firewall; for connections from off-campus to on-campus machines the SSLVPN gateway must be used
SSH Connection to server on the controlled machine requires a hole to be configured in the host firewall; for connections from off-campus to on-campus machines the SSLVPN gateway must be used
Lync Remote control features are integrated in product
Skype Remote control features are integrated in product
JMU VDI A special version of Microsoft Remote Desktop where a limited use, IT maintained Windows Virtual Machine is controlled rather than a physical machine. This relatively new service is currently limited to special use cases due to the costs involved. Submit questions to it-security@jmu.edu or submit a PIQ if interested in exploring applicability. Configurations and access controls are set up according to need, risk, and efficient use of resources. Currently approved use cases require the use of the SSLVPN gateway and two-factor authentication tokens.