offer an installer without the remote access features

Specifically: This is for security purposes FURTHER than just the checkbox.


Ideally, offer a separate or way to build the installer / application without any of the remote access libraries. This should NOT only be just disabling it from listening on ports, but also from any dll or library involved.


My concern is that an adversary could determine this and leverage local exploits to elevate their permissions on the machine. (maybe they only had guest access prior and used the machine to elevate to local SYSTEM or whatever access we give the app when installing so it can hook into the Fx keys / usb deviceid. At system it can just wait for an admin to log in and grab the key that way).


Auditors will question this at some point, and being able to just say 'we have the vnc module completely disabled and removed from our installer making it a non issue' (vs. 'vnc is disabled by a checkbox and not listening on any ports')

Comments

  • Plus one for complete removal of VNC in the MSI.


    Testing this product at an MSP and new ideas get run past a team of senior techs and this has raised a few worried questions unfortunately :(


    Just a check box on the MSI build page which removes this from the end product altogether would be greatly appreciated if possible.

  • Plus one.


    As a side note for the time being, you can disable the VNC features by renaming or deleting Tier2VNC.exe and tech_connect.exe from c:\program files (x86)\Helpdesk Button\. It doesn't seem to have any side effects.


    I've also had issues where even with unchecking the remote access box, rebuilding the msi, and uninstalling/reinstalling the app, it still allows remote access.


    That being said, before I can launch it with users, I would need an MSI without the VNC and without the remote access checkbox in the user gui.

  • +1 here too.


    If one of my client sites decides later on that they want me to have remote access down the road, or only on certain machines, then I have other options (like CW). Also, another thing I've noticed is that there is no access when the machine is logged out/locked, which is a strength of CW in my mind. Also, with all of the crap MSP tool providers are getting lately with the tool hacks it might be a good idea to hold off on deploying a remote tool until one that's built by Tier2 internally can be deployed. This would be a better situation in my mind as no one is relying on an outside entity to maintain security (at least to a lesser extent).


    Just to be clear, I'm saying all of this from the Red Teamer's point of view (with DefCon on my brain still). This comes from a place of love for all the hard work that's going into this awesome product/service!


  • Just a note for you - to make sure the remote access is 'disabled' you need to us the 3.26.x build for building the MSI (per support).


    It still doesn't remove the vnc stuff, but at least it removes the checkbox on the customer gui and from the report!

  • Also, poking around more in this forum (on the release notes I think) I found where one of the dev's was talking about how the decision was already made to remove VNC in the near future and that they had already taken steps to secure it.


    Here's a link to the post from earlier this month:

    https://community.tier2tickets.com/discussion/16/2019-08-07-update#latest

  • Yes, this is correct, VNC will be an optional part of the installer in a future build. I appreciate everyone bearing with us as we work through this stuff. Our devs are working through things as quickly as possible and we have hired additional help.

Sign In or Register to comment.