Is GoToMyPC a risk

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi All,

   One of my w2k3 servers has GoToMyPC installed on it
so the software vendor can do maintenance on it.  It seems
to me that GoToAssist would be a lot safer, since the vendor
has to ask permission to get in.  Is GoToMyPC a security


Re: Is GoToMyPC a risk wrote:
Quoted text here. Click to load it

First off, /why/ are you asking a W2003 question in a LINUX newsgroup.
Can't you find a relevant group to ask in? If not, then I'd suggest
that would be as good you've selected

Secondly, you've got a system that has an open connection to the
internet, and a package that permits anyone to access it through that
connection. Common sense would say that you have a security risk.

Lew Pitcher

Re: Is GoToMyPC a risk

Lew Pitcher wrote:
Quoted text here. Click to load it


  The question was how to handle the problem with iptales and any
other common sense you can think of.  You have never heard of a mixed
Windows, Unix environment?

   Also, ask the Windows group this question and you get nasty remarks
blank stares.  Most Unix admins have had to learn to cope with Windows.
makes this the perfect place to ask.  I recommended against purchasing
the w2k3 server in the first place, as it is not only is a piece of
over priced
trash, it is a huge security hazard.  I got over ruled.

   Do you have any advice as to how to handle the problem?


Loved the Dilbert cartoon

Re: Is GoToMyPC a risk

On Mon, 14 Aug 2006 14:15:42 -0700, ToddAndMargo wrote:

Quoted text here. Click to load it

It is possible to tunnel a VNC connection through SSH on a Linux box to a
Windows box, this should be much safer then allowing a direct connection
to a Windows box from the Internet. You do this by port forwarding the
VNC ports. My partner remotely accesses his Windows boxes in this manner.
He has Cygwin on his home Windows box. He sshes from Cygwin to his
office Linux server and port forwards the connection to his office Windows

Re: Is GoToMyPC a risk

Hash: SHA1 wrote:
Quoted text here. Click to load it

OK, but you didn't mention anything about Linux or iptables in your
original post. If you /had/, my response would have been different.

Quoted text here. Click to load it

Well, I guess it depends on how important GoToMyPC is to your
environment, and the configuration of your environment.

- From your remarks above, it sounds like your W2K3 PC is somewhere
behind a Linux iptables-based firewall. If so, and you have full
control through that firewall of all routes from the internet to your
W2K3 PC, then you /should/ be able to craft a suitable iptables rule
(or set of rules) that either blocks completely or severely restricts
internet access to GoToMyPC.

Now, I don't know about the internals of GoToMyPC  (I briefly looked
into it while investigating remote operations solutions for OS2
workstations), so you'll probably have to use ethereal or some other
lan trace tool to determine the communications values (ports, etc) that
it uses. From that, it shouldn't be too much of a problem to add rules
to blacklist the target (W2K3) IPaddress/port combination, and perhaps
add a whitelist for selected source IPaddresses.

Of course, it depends on your circumstances. If you don't have a list
that you can use as a whitelist, then you may be stuck with an
unsecured open connection. How important is GoToMyPC to your company?
Can you live without it? If you can justify a more secure connection
(say, using a secured VPN solution instead), then go for it. Otherwise,
you might just have to "turn off" GoToMyPC on the W2K3 box, and
manually enable it only on demand.  Of course, that's a W2K3
operational issue, and has nothing to do with Linux.

So, my suggestions would be:
a) kill off GoToMyPC
b) install a secured VPN, and provide access /just/ to the people who
need it
c) enable the "Remote Desktop" features of W2K3, accessable only
through the secured VPN
d) block all GoToMyPC traffic at your firewall
e) pray that your user community stays sane, and doesn't add more holes
to your security setup than are already there.

Quoted text here. Click to load it

Yah  :-)
I've always wanted an excuse to post a link to that one. I love it too

- --
Lew Pitcher

Version: GnuPG v1.4.3 (MingW32) - WinPT 0.11.12


Re: Is GoToMyPC a risk

Quoted text here. Click to load it

If the vendor requires you to use GoToMyPC, I'd require them to do this
legwork for you, and simply give you a list of IPs to be whitelisted,
and the port(s) they need open.  If they won't, threaten to switch to
another vendor.  ;-)  But if they won't give you a list of ports, at the
very least a list of IPs to whitelist will be very helpful, as it will
cut down your exposure greatly.  Whatever you do, be sure to verify your
iptables configuration with a portscanner from the outside of the
iptables machine.


(try just my userid to email me)
see X- headers for PGP signature information

Site Timeline