Remote Access & HIPPA
-
I would be more worried about a vulnerability in the javascript framework supporting MeshCentral, so i would NOT put the MeshCentral server on the internet directly, but inside VPNs. Each of the sites on one VPN and the HIPAA site on another standalone VPN. MeshCentral inside both VPNs.
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
Lastly, there is a spot in the meshCentral configuration file and a cli option that logs anyone in without authentication - "User". It was meant for testing, enable "User" and all authentication is bypassed and logons occur automatically. One just might think keepass autologon was working really fast. So delete the User option from /opt/meshcentral/meshcentral-data/config.json and never pass it on the cli. Ditto for the "nousers" option.
-
@rjt said in Remote Access & HIPPA:
I would be more worried about a vulnerability in the javascript framework supporting MeshCentral, so i would NOT put the MeshCentral server on the internet directly, but inside VPNs. Each of the sites on one VPN and the HIPAA site on another standalone VPN. MeshCentral inside both VPNs.
And limit it to MC traffic, not open traffic between sites.
-
@rjt said in Remote Access & HIPPA:
I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
If you have an admin account, you should be good without rebooting anyway.
-
@rjt said in Remote Access & HIPPA:
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
You either have consent on or off, you don't flip flop without having what seems like a clear workaround to what is supposed to be a security benefit.
-
@scottalanmiller said in Remote Access & HIPPA:
@rjt said in Remote Access & HIPPA:
I would be more worried about a vulnerability in the javascript framework supporting MeshCentral, so i would NOT put the MeshCentral server on the internet directly, but inside VPNs. Each of the sites on one VPN and the HIPAA site on another standalone VPN. MeshCentral inside both VPNs.
And limit it to MC traffic, not open traffic between sites.
Don't encourage stupid. What would be the point of this? What is the gain?
MeshCenctral (MC), and ScreenConnect, encrypt all communication between the agent on the client and the tech connection. This is done before/outside of web traffic SSL, always has been.
The web traffic to the MC server can or can not be SSL, that is a separate piece.
-
@Dashrender said in Remote Access & HIPPA:
@rjt said in Remote Access & HIPPA:
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
You either have consent on or off, you don't flip flop without having what seems like a clear workaround to what is supposed to be a security benefit.
I have not, yet, looked back at the MC consent setup once it was implemented. Assuming it was done correctly, consent is permission based, so you could have an account that does not require consent. But you would need auditing on any use of the account.
-
@JaredBusch said in Remote Access & HIPPA:
@Dashrender said in Remote Access & HIPPA:
@rjt said in Remote Access & HIPPA:
I would second what @JaredBusch said about the HIPAA site and automatic control of the desktop. I would hope if you need control after hours, you could simply reboot the machine and then no consent is necessary.
You either have consent on or off, you don't flip flop without having what seems like a clear workaround to what is supposed to be a security benefit.
I have not, yet, looked back at the MC consent setup once it was implemented. Assuming it was done correctly, consent is permission based, so you could have an account that does not require consent. But you would need auditing on any use of the account.
I was pretty much assuming the use of two accounts - or (more crazily) log in with admin - change the permission, etc... but again, that would be crazy.
But the ability to do that more or less defeats the purpose... because you can choose to be a bad guy and just change that setting as you want and see what you want.... yeah logs are supposed to show what you're doing - but still.
But you have clients who have you in that spot, do you have a during hours and after hours account you use to support them?
