TeamViewer Security -How secure is it for simple remote support?
I'm deploying a web-based ERP system for a customer, in a way that both the server and the client machines will be inside the customer's intranet. I was advised in another question not to use TeamViewer security to access the server, using more secure means instead, and so did I. But now I'm concerned about whether or not TeamViewer Security would be appropriate for the client machines, which are not "special" to this system in particular, but nonetheless, I don't want to lower their current security, neither I want to compromise the computer on my end.
My question, then, is whether or not TeamViewer Security is "good enough" for simple remote desktop support, where it will be used simply to assist the users in the usage of the system, and whether or not I must take additional measures (like changing the default settings, changing the firewall, etc) to reach a satisfactory level of security.
Some details:
I already read the company's security statement and in my non-expert opinion, Is all fine. However, this answer in that other question has put me in doubt. After carrying out some research, UPnP in particular does not worry me anymore, since the feature that uses it - DirectIn - is disabled by default. But I wonder if there are more things I should be aware of that are not covered in that document.
The Wikipedia article about TeamViewer security says the Linux port uses Wine. AFAIK that doesn't affect its network security, is that correct?
Ultimately, the responsibility of securing my customers' networks is not mine, it's theirs. But I need to advise them about the possibilities of setting up this system, in particular, because most of them are small-medium NGOs without any IT staff of their own. Often I won't be able to offer an "ideal" setup, but at least I wanna be able to give advice like: "if you're installing TeamViewer Securityin this machine, you won't be able to do X, Y and Z in it, because I'll disable it"; or: "you can install TeamViewer in any regular machine you want, it's safe in its default configuration; only this one *points to server* is off-limits".
My choice of TeamViewer security was sole because it was straightforward to install in both Windows and Linux machines, and it just works (its cost is accessible too). But I'm open for other suggestions. I'm low both in budget and specialized staff, so I'm going for the simpler tools, but I wanna make a conscious decision whatever that is.
There's a couple of differences between using a 3rd party supplier (such as teamviewer security) and a direct remote control solution (eg, VNC)
TeamViewer Security has advantages in that it doesn't require ports to be opened on the firewall for inbound connections, which removes a potential point of attack. For example, if you have something like VNC listening (and it isn't possible to restrict source IP addresses for connections) then if there is a security vulnerability in VNC, or a weak password is used, then there is a risk that an attacker could use this mechanism to attack your customer.
However, there is a trade-off for this, which is that you're providing a level of trust to the people who create and run the service (in this case Teamviewer). If their product or servers are compromised, then it's possible that an attacker would be able to use that to attack anyone using the service. One thing to consider is that if you're a paying customer of the service, you may have some contractual come-back if they're hacked (although that's very likely to depend on the service in question and a whole load of other factors) Like everything in security, it's a trade-off. If you have a decently secure remote control product and manage and control it well then I'd be inclined to say that that's likely to be a more secure option than relying on a 3rd party of any kind.
That said if the claims on TeamViewers website are accurate it seems likely that they're paying a fair degree of attention to security, and also you could consider that if someone hacks TeamViewer (who have a pretty large number of customers) what's the chance that they'll attack you
TeamViewer Security - Best Practices
Exit TeamViewer Security, and Run It Only When You Need It
Our first suggestion is both an immediate action you need to take and a general suggestion for future use. First, compromises are often a result of poor security practices, we’re going to do one thing right away: shut TeamViewer temporarily off and update it, and, while the application is turned off, we’re going to update the security on your TeamViewer account through the company’s webpage. (More on this in the next section.)
As a general future consideration, only run the TeamViewer application when you need it. That way, even when there is a vulnerability in the program (like the one just discovered and patched), you won’t be in nearly as much danger. An application that isn’t running can’t cause any trouble for you. While we understand that some people keep TeamViewer on 24/7 as part of their workflow, and if you absolutely have to, fine. But if you only use it occasionally in your home, or you’re one of the people who only turns it on to occasionally troubleshoot a relative’s computer, then don’t leave it running all day, every day. This is the single best way to avoid giving someone access to your machine.