We develop and deploy data collection from remote, inaccessible sites located around the world. Thus we need to have highly-reliable methods of remote control. This is accomplished in part by making sure every PC is Intel vPro enabled, allowing remote power down, reboot, and even reinstall the operating system remotely from a HTTP vPro internal webserver on port 16992.
remote PC control checklist:
- Intel vPro motherboard
- Certificates to control vPro (don’t rely on passwords for full PC control!)
- Clonezilla DVD in DVD drive
- Clonezilla HDD image on Blu-ray in drive or USB HDD / flash drive
- Hardware Firewall (e.g. pfSense) to not expose vPro ports to outside world.
Commercial remote desktop
One can use SSH port forwarding and RDP, but what about those who want to use LogMeIn or the like?
- Commercial remote desktop services such as LogMeIn are typically more secure on a Windows PC than just leaving port 3389 open to the internet.
- LogMeIn has convenient apps for smartphones and from a web browser
The downsides of LogMeIn-type commercial services have philosophical and practical aspects.
- Commercial services typically use proprietary (non-open-source) technologies for the central server and/or securing the connection. Open source choices are using perhaps the same technology but open to world-wide security reviewers.
- The convenience of commercial services (centralized server making the connections) is seen by some as a weakness, since it could have unknown hackers as employees, could shut down their server, raise prices, etc.
- SSH → RDP: Cygwin OpenSSH server SSH port forward port 3389
- phone remote desktop: see aFreeRDP or HTML5-based Guacamole
- access my PCs with a “single click” from a phone or laptop, without having a 3rd party server involved, without plugins (see Guacamole).
- no 3rd commercial party whom I have to trust and pay.