Hardening (analyze & avoid remote access)


  1. rihtt
    Posts : 34
    windows 7 Professional x64
       New #1

    Hardening (analyze & avoid remote access)


    Hello
    a client of mine runs a windows 7 embedded
    [6.1.7601 Service Pack 1 Build 7601]


    there is a remote management software installed called teamviewer host
    (version 9)


    But, here is the issue.
    Someone is controlling the computer because the end-users have a number of times seen
    that someone is controlling the mouse and are using the computer. And I suspect its not a teamviewer session but instead some else unknown RAT/spyware or other RMM



    I have been assigned to investigate and stop this.


    * teamviewer host logfiles shows no matching incoming_connections
    *teamviewer host has been set to have 1 new password. And no other extras
    *I deactivated the windows RDP/RDC protocol within control panel
    *I installed malware antibytes and run a scan atm



    What else do you suggest to do?




    I am planning to visit the site and do some more work at the terminal:


    Code:
    () I will do a regshot of the system with my portable thumbdrive.
Reboot and scan again and check for anomalies

where-application stores its data -


() deny all in the windows firewall, and do exceptions just for critical applications
such as  wmupdate, teamviewer

() also if available check the router, and add additional firewall/block everything to this device in the network.


() check the   UAC  settings

() install and tweak with EMET,  but I found this toolkit quite hard to understand.
      My Computer
    Quote Quote

  3. iko22
    Posts : 2,798
    Windows 7 x64, Vista x64, 8.1 smartphone
       New #2

    Hello rihtt

    Does the Windows 7 embedded computer have its own Mouse physically connected, or is it only (intentionally) controlled via Team Viewer?
      My Computer
    Quote Quote

  4. samuria
    Posts : 3,788
    win 8 32 bit
       New #3

    The top option is to setup a DMZ zone and assign it to a fix IP which doesn't exist set this on the router so nothing would connect from outside it would require something running on the pc to open connection check schedule and startup
      My Computer
    Quote Quote

  6. file3456
    Posts : 0
    Windows 7 Ultimate x64
       New #4

    Team Viewer is very susceptible to having the account hacked. When you use TV it is vital you use 2FA (two factor authentication) I use Authy and I highly recommend you use Authy for every account that has a 2FA ability for Authy. Be it PayPal, eBay (unless you snipe, don't turn it on), domain providers, etc. Use Authy when you can. If email or SMS is the only option, use email, if SMS is the only option use SMS, though not very good since that is vulnerable to a sim card swap hack.

    So what I would do right now is the following:

    A: Login to the TV account and change the password. Use Keepass and make it at least 16 characters. Backup Keepass' database to multiple storage mediums regularly. USB flash drives, computers, hard drives, cloud storage, you name it.

    B: Download the Authy App for your phone. Install Authy on your computer/s Go into your TV account and chose to use 2FA.

    C: Run Autoruns and make sure there isn't something there that shouldn't be.

    D: Run Sanity Check.

    E: Run TDSSKiller.

    F: Try Herdprotect portable.

    DMZ and all that is not going to make a difference with a TV connection. A TV connection bypasses the firewall and router SPI via direct IP connection from the program to a server somewhere in the world. They have many IPs and I've seen several using Peerblock. In all the years I've used TV I have never had unusual behavior and that's principally because I use 2FA.

    Heed my advice line by line. Any questions ask.
    Last edited by file3456; 22 Mar 2020 at 06:08. Reason: spelling mistake
      My Computer
    Quote Quote

  7. Alejandro85
    Posts : 2,468
    Windows 7 Ultimate x64
       New #5

    The very first measure you could take is to propertly setup your firewall at the affected computer. Only let known programs to access the network, both for incoming and specially outgoing connections. Firewall logs may also discover the problem, if it ends up not being a teamviewer session.


    F22 Simpilot said:
    Team Viewer is very susceptible to having the account hacked.
    Why? What's your basis for such claim?
      My Computer
    Quote Quote

  8. file3456
    Posts : 0
    Windows 7 Ultimate x64
       New #6

    Alejandro85 said:
    Why? What's your basis for such claim?

    team viewe account hacked - Google Search

    Next thing you know you'll say I'm wrong. Also, this has NOTHING to do with the network. TV punches through firewalls and SPI.

    Also, from the search results. This is how you can check if your TeamViewer account has been hacked and what to do >> TechWorm
      My Computer
    Quote Quote

  10. iko22
    Posts : 2,798
    Windows 7 x64, Vista x64, 8.1 smartphone
       New #7

    Yes, I distinctly remember hearing about a Teamviewer hack in 2016. Googling it today, I found that the company first denied this happened, then they reported that it was an infrastructure attack rather than a user account attack. However, if users have personal doubts, then check the Teamviewer log entries, and report any anomalies to their customer support.
      My Computer
    Quote Quote

 

  Related Discussions
im looking for a definant guide to hardening my windows 7 box and doing some cleanup before i go to windows 10 also performing a backup. i have software for backup no issue but i was wondering can i disable IP version 6? since im still using IPv4 ? is it needed? if there a guide out there please...
I have a home network of 4 Win 7 computers which I leave running when I'm away from home to provide data to my website, among other things. In the past, I've been using Remote Desktop to access my home computers. It works very well, but it's always a challenge getting everything set up to work...
Hello, Yesterday I was looking something up in MS Access 2010, which I use often. I don't recall even changing any records - I was only looking something up. When I closed Access, I received an error message. Unfortunately I was quite busy at the time, and neglected to actually read the error...
Hi My spouse's laptop has Windows 7 Professional and it contains a Citrix client VPN access to her work. For some reason, I do not have the details, Windows Updates clobbers the Citrix client, thereby she cannot access her work. Note that Windows performs these updates without asking the...
This morning, I heard a nationally syndicated computer expert state that some Chinese hackers were "getting into" Windows based computers through "Remote Access/Remote Desktop" even if the service is turned off. According to the guru, "They will turn it on for you." Being very concrete, as well...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 17:27.
Find Us