Tags:



Remote Access to PC
August 14, 2008 5:32 PM   RSS feed for this thread Subscribe

What program to use for secure remote PC access?

I want to access a home computer using any one or combination of these services (logmein, gotomypc, keriovpn, live messenger, other similar services) in a secure way.

If possible, please include detailed explanations or links to detailed explanations for all steps, etc. My main issue is security. I would also like something free if possible, since its only for one computer - personal/school use.

I want to have remote access to a home pc (has XP) from a separate location (has Vista), but I don't want to unwittingly give outsiders access. Does anybody use logmein or any other free services to do this?

Limitation - can't download anything on the remote computer that has Vista)

Thanks!
posted by cashman to computers & internet (22 comments total) 5 users marked this as a favorite
If LogMeIn.com wasn't secure, it wouldn't exist. Plain and simple. It is a commercial product (that offers a free limited version).
posted by SirStan at 5:53 PM on August 14, 2008


SecureVNC will allow you to access your home computer via a browser (and java applet, if I remember correctly). It will be as secure as the password you choose for it.
posted by bizwank at 6:00 PM on August 14, 2008


Totally get on LogMeIn.com. It's completely encrypted and password protected (it actually uses two passwords, one for your account and another for each specific PC, so I'd pick a different password for each level.) I want to say your communication is encrypted with 448-bit encryption, but I might be wrong there.

Two reasons to use LMI over a VNC derivative - One, no ports to forward on your router. Two, WAY better video compression, resulting in way less jerkiness/slideshow-ness on your remote session.
posted by mysterious1der at 6:16 PM on August 14, 2008


Its best to avoid putting any PC in a DMZ (no firewall, etc). Most college/home networks have a router in front of your PC that does NAT translation. Basically in most instances you have a 100% firewall in front of your PC. Running *VNC requires you to increase the surface area that your PC has on the internet, and is inherely LESS secure than an option that does not put your computer directly on the internet.

LogMeIn is designed to be 100% secure (again, thats why people trust and use them), and they keep your connection to them entirely secure. The handoff is secure. Unless you are a security pro (which... if you have to ask if something is secure... probably implies you aren't) than a solution that increases your PC's surface area with regards to open ports, etc is a BadThing(tm).

Besides -- Most VNC applications require just a password -- which is like calling a combination lock secure. There are only so many combinations -- and a computer can try them all.

VNC has its place -- but I wouldnt make that place the public internets.
posted by SirStan at 6:17 PM on August 14, 2008


Great responses - okay - I downloaded lmi hamachi and I'm trying to test it out using two pc's on the same router/ip. the "home" computer seems to connect to networks fine. The testremote computer (not the actual remote computer) has lmi hamachi on it now but it won't connect to any networks. Is that an ip thing? I restarted already.
posted by cashman at 6:22 PM on August 14, 2008


The two machines are using the same IP or are NAT'ed with different internal addresses behind the router? The latter will work with Hamachi, but I can't vouch for the former.

For an added layer of security, once you get Hamachi working, you can fine tune your XP machine's firewall so it only allows the inbound remote connection via the Hamachi virtual network adapter, and not via your physical NICs.
posted by JaredSeth at 6:33 PM on August 14, 2008


Hamachi meets the "dont need to install anything" requirement?
posted by SirStan at 6:34 PM on August 14, 2008


Oh, or do you mean the test machine is a VM? I've had issues using VPN products through the VMNet adapters before, especially if it's a bridged connection.

Good point, SirStan, but it sounds like he's already got Hamachi on the Vista box.
posted by JaredSeth at 6:36 PM on August 14, 2008


You definitely want to use LogMeIn Free, not LMI Himachi. It is infinitely easier, has secure browser based access, and the only things really missing from the "Free" version are sound transfer and a FTP style file transfer. Don't spend any more time on Himachi, it isn't the program you need.
posted by shinynewnick at 6:41 PM on August 14, 2008


And to echo SirStan, you have to install a client on the Vista computer to make Himachi work. That is not the case for LogMeIn Free.
posted by shinynewnick at 6:44 PM on August 14, 2008


Why not use windows remote desktop? Window Remote Desktop
posted by Sonic_Molson at 7:38 PM on August 14, 2008 [2 favorites has favorites]


Yeah, lmi himachi broke the requirements but i was just trying to see if i could get it to even work at all. I think i mistakenly got into himachi not realizing that wasn't their only product. so i'm going to go back as shinynewnick suggests and install lmi free, and see i that sets up right.
posted by cashman at 7:40 PM on August 14, 2008


Running *VNC requires you to increase the surface area that your PC has on the internet, and is inherely LESS secure than an option that does not put your computer directly on the internet.

I'm not really clear on what you're saying there - I think when I've used VNC it has only required a single port - which is not some horrendous security risk, especially if it's a port that is used just for that remote access app, or one that is selectable by the user. If a remote access application does this through port 80 or something that they expect to always be open, that's just exposing an attack surface through a well-known port (one that ought to only be used for web traffic in the case of port 80.) And I've never seen a remote access solution that requires putting either end of the connection in a DMZ or otherwise "directly on the internet".

As LogMeIn's own security white paper notes, "Remote access products are perceived as high risk factors, but mainly for psychological reasons."

The same paper says "The greatest weakness... is the user himself." cashman - in my opinion you'll get more mileage out of educating yourself on computer security rather than wringing your hands over which of the various remote access solutions to use, when they all provide the same basic security capabilities, especially if you seek out and follow the security advice from the vendor (or open source project as the case may be.)

For example - on the host system you're logging into, create limited user accounts that can only do exactly what you need to do remotely, and then only remote in with the limited accounts. Those sorts of measures will get you much greater mileage than simply seeking out applications that advertise themselves as "100% secure", which I think will lead you to a false sense of security. The best way to avoid unwittingly giving outsiders access is to not be unwitting.
posted by XMLicious at 7:46 PM on August 14, 2008


if you have some technical prowess:

VNC/RD + SSL + PUTTY (all free)

1. install cygwin, make sure to include ssl
2. find the instructions (google) for setting up sshd as a windows service
3. setup your router to pass one port (doesn't matter which) from the outside to the sshd port (again, doesn't matter which; you can tell sshd to listen on any port)
4. at this point you should be able to use putty to connect to your PC from the outside world using the port your router is forwarding. Putty+SSL gives a lot of choice for encryption (AES,Blowfish,3DES).
5. setup a tunnel using Putty - as long as you are logged in it will connect a port on your source machine securely to a port on your target machine (the one running sshd)
6. now you can use either VNC or regular old Remote Desktop;
for example for RD:
enable RD on the home machine. tell putty the local port is 12345 and the remote port is 3389. Now on the machine you are running putty, do a remote desktop to localhost:12345

for some extra safety you can setup a windows job to turn sshd on and off at various times; e.g. during the night when you wouldn't be using it
posted by jockc at 8:24 PM on August 14, 2008


Teamviewer teamviewer teamviewer!

http://www.teamviwer.com

It's one-step and easy! You run a client on one machine, and you just download and install OR run the viewer. It breaks through firewalls and everything - no need to foward ports on your router or anything. You can even run it off a USB stick.
posted by yoyoceramic at 8:27 PM on August 14, 2008


Besides -- Most VNC applications require just a password -- which is like calling a combination lock secure. There are only so many combinations -- and a computer can try them all.

An eight-character password of mixed-case letters, numbers and symbols has 7.2 quadrillion possible combinations and would take a cluster of PC's over two years to brute-force.
posted by bizwank at 9:01 PM on August 14, 2008


VNC is too slow and Windows Remote Desktop Connection is insecure by default and requires you to open a port on your firewall. Both require you to configure a Dynamic DNS client, which is unnecessarily complex for what you want to do. Stick with the services that make it easy.
posted by cnc at 9:53 PM on August 14, 2008


I use both VNC and Windows remote desktop via IP alone; dyndns is not a requirement. What's easier than pointing your browser at an IP, entering a password and seeing your desktop?
posted by bizwank at 2:10 AM on August 15, 2008


bizwank, but how do you know the home IP address at any given moment unless you have a static IP? I use this method, but I've got a static...the average home user is on a DHCP address.

Windows Remote Desktop Connection is insecure by default

This however is FUD. Using RDC really isn't all that different than using VNC. One extra step one can take though, since usually if you're doing this from work your source address will not change, is to finetune your firewall to only allow inbound connections from the work address.
posted by JaredSeth at 2:57 AM on August 15, 2008 [1 favorite has favorites]


nthing windows RDP. Its part of Windows, its free and in most places its kind of impossible to block since it has lots of legitimate uses for IT professionals. Worrying about how secure it is/isn't is kind of silly considering that there craploads of other far more interesting PCs in the world for people to snoop on/break into/etc. If you are super paranoid, just change the listening port for RDP to something non-standard and only open it on your router/firewall and not the default port.
posted by zennoshinjou at 5:44 AM on August 15, 2008


Also, most ISP provided IPs (if you have cable modem anyhow...) probably behave like static more often than not since DHCP generally tries to renew a lease to a MAC address with the same IP if it can. My IP has been the same on my cable modem for 2+ years.
posted by zennoshinjou at 5:45 AM on August 15, 2008


Windows Remote Desktop Connection is insecure by default

Just to set the record straight, RDC by default uses either 56 or (post Win2K) 128 bit RC4. With VNC, it depends on the implementation. In any case, you should tunnel both over SSH when using over the internet.
posted by tracert at 12:12 AM on August 17, 2008


« Older What is the easiest way to det...   |   Eviction and future plans: My ... Newer »
This thread is closed to new comments.