I’ve been using Simple-Help for a long time myself, I used it when I ran a small MSP and have just kept it around and updated, mostly for personal use, since.
I’ve been doing some thinking though that I might use it in a different way in the environment I’m charged with taking care of and I’m looking for any thoughts or opinions from anyone who has used it this way.
There are a lot of vendors that I deal with right now that use all kinds of methods for remote support on our network, I am growing a bit weary and untrusting of just allowing users to establish Log-Me-In style remote support sessions with vendors and I’m working to lock it down.
So right now I have two things I’m trying to restrict when it comes to vendor access, the first is the typical on-demand support that a vendor may provide an end user using screen sharing, for this I am starting to restrict all Simple-Help / Log-Me-In / Go-To-Assist /Bomgar type applications on the network and only allowing them for limited amounts of time as requested on a case-by-case basis allowing us in IT to regulate, control, and monitor when these sessions are allowed.
The second thing that I want to take some control of is vendors that keep persistent access to vendor supported servers / devices on the network. I do see a case with some of these vendors where them being able to access the device / server on demand should be allowed. This is where I’m thinking about installing a new instance of Simple-Help at the company. There are platforms that are purpose built for this like SecureLink but I think SimpleHelp could also meet the need as I have it. My thoughts are that I will buy / install a new instance of SimpleHelp that is just for vendor use, each vendor account would be placed in their appropriate group that has access to the devices that the vendor directly supports only, they would not have access to the support sessions or any other functionality, just remote access to the list of devices we have allowed. There would likely be a lot of “tech” accounts compared to the number of systems since some of these vendors have dozons of potential support staff. I feel like this would allow us to maintain control over remote access, we could implement forced recording of sessions, enforce MFA, etc, all while still allowing the vendor the ability to support systems / transfer files, etc.
Anyone used simplehelp in this fashion and have any thoughts about it?
I have actually thought about this a lot. If you follow through with it please post back your experiences. I am in the same boat as you trying to restrict access and have been doing the same with limiting connections as needed.
The only problem I see is vendor adoption, especially if it is not in the contracts that they have to use your provided remote application program.
Interested in hearing your experiences later on if you do it.
Yeah, I’m sure some vendors will squak about it, but I am leaning more and more towards the idea that we have to start telling our vendors how things will work as opposed to the other way around. The way I see it the vendors just do not share the same risk that we do as the client and allowing too much uncontrolled access is too big of a liability to keep doing business as usual.
I’ll let you know how things go when I get things up and running.
1 Like
My biggest client (200 people) is focussing more and more on security. They are now paying an external company to carry out an annual security audit and then consider the recommendations. First year there were a lot, second year less so.
One of the key aspects they always mention is ensuring that people only have the right (minimal) access they need and that access is reviewed. Many fall down on both of these and esp. the later. They are very good at setting up access but crap at revoking it. How many IT technicians have left a company knowing a shared username & password not protected by 2FA - and not changed the password at least?
So whilst I haven’t read the original posters post in detail yet, I do agree with the observation that vendors need to start listening to us esp. on security.
As part of that audit, we’ve had to go through every system we use - all cloud based. Over 150 of them! To understand where they are storing data and how security access works. We’ve uncovered some real howlers - Veeva is a web based document approval system used by many pharmaceutical companies - no 2FA… eBuyer, a UK IT equipment supplier - we have trade account - no 2FA. We’ve given them notice that if they implement 2FA, we’re taking our business elsewhere.
A couple thoughts…
- You guys should have a policy on this. If not develop one and educate your users about it. (no external access to systems ever is allowed to vendor or even employee without consent from IT)
- The vendor is not going to want to install SH Technician on their computer to manage your application/server. And most vendors have lots of people that may be responsible for remoting in, and more and more vendors are allowing employees to work from home… so do you want a bunch of computers (at the vendor) having technician on them with access to your machine(s) at all times from possibly home machines. And you can guarantee that if an employee leaves the vendor they won’t inform you so that you can change their password, nor will they think to remove “that application one of our customers made us install to manage their systems”
- If you are hosting SH in-house this means opening ports for this less-used use case and is just one more possible way in if there is a security issue with SH. I’d at least host it externally if you do it.
- Make sure that vendors touching your systems are under a contract of sometype (that your legal wrote) their contract will say they have absolutely no liability if they compromise your systems or leak your data.
- Keep in mind that giving vendors access through technician will give them the ability do do anything they want as root/admin on that machine (create new users, open ports, install anything at all) - so maybe SH “Remote Work” would be a better use case here if you want to go that way.
- Remember the vendor works for you, not the other way around, don’t hesitate to put your foot down and tell them that this is the policy and that they’ll just have to deal with not having access whenever they want.
Something that I’ve been thinking about… running a guacamole server ( https://guacamole.apache.org/ ) and giving vendors access through that. You can create an account for them that only has rdp access, or vnc access, or whatever to just the machine that they need. It is fully web-based so no software for them to install. You can control the accounts and passwords and only activate them when and if the vendor needs them. You have access to the logs for auditing purposes. It supports 2FA also. You could even “spin it up” when needed only (to keep the services off when not using). It’s on my list to checkout for this purpose, but it’s going to be a while before we get to it.
We do not allow any vendor to access machines remotely without us observing. We schedule a time, and then on that machine run whatever they use for remote support, observe them the whole time, type in any network/machine credentials for them, and then after they are done we remove their remote support program (if it installed). Having unknown people having unfettered access to your network is a recipe for disaster.
… these are just my thoughts in a perfect world of course, I know these things are not always possible.
Good luck and let us know what you go with and how it goes.
1 Like
These are really good points…
I will just point out that there does appear to be a lot of limits that can be implemented in SH and granting some access in SH does not necessarily mean admin / root access. I also firewall vendor supported systems and control their east-west connectivity so access to a vendor supported system does not necessarily grant access to other parts of my network. I would not allow things like toolbox usage or SH tunnels for those groups. Remote Work, if I’m not mistaken, is also limited to a single user per machine? I’ve not used it so I could be wrong.
There are systems out there that are purpose built to do what I’m trying to accomplish like SecureLink, I’m just kind of looking to see what could be done with this lower cost alternative.
The guacomole server actually appears to be a solution that would provide a lot of what I’m looking to do here and your point about the vendor not having to install SH Technician is a good one.
I like the perfect world scenario where vendors are only allowed access on a schedule and under our supervision, unfortunately for us that’s just not realistic. We will have some vendors that need to support our users without having to get us in the middle of the support session, that risk is one that we have to accept, what I have to do now is manage and lower the surface area of that risk as much as possible. Allowing them to use their own tools and things like TeamViewer I feel takes some of that control out of my hands.
2 Likes
Remote Support
Remote Access
Monitoring and Management
Presentation
Remote Work
Standard
Business
Enterprise