Are the teamviewer safety approaches good for simple remote support?
I'm deploying a web-based ERP system for a customer, such that both the server and the client machines will be inside the customer's intranet. I was advised in another question not to use TeamViewer to access the server, using more secure means instead, and so did I. But now I'm concerned about whether or not TeamViewer would be appropriate for the client machines, which are not "special" to this system in particular, but nonetheless I don't want to lower their current security, nor do I want to compromise the computer on my end.
My question, then, is whether or not TeamViewer is "good enough" for simple remote desktop support, where it will be used simply to assist the users in the usage of the system, and whether or not I must take additional measures (like changing the default settings, changing the firewall, etc) to reach a satisfactory level or security.
Some details:
I already read the company's security statement and in my non-expert opinion all's fine. However, this answer in that other question has put me in doubt. After some research, UPnP in particular does not worry me anymore, since the feature that uses it - DirectIn - is disabled by default. But I wonder if there are more things I should be aware of that's not covered in that document.
The Wikipedia article about TeamViewer says the Linux port uses Wine. AFAIK that doesn't affect its network security, is that correct?
Ultimately, the responsibility of securing my customers' networks is not mine, it's theirs. But I need to advise them about the possibilities of setting up this system, in particular because most of them are small-medium NGOs without any IT staff of their own. Often I won't be able to offer an "ideal" setup, but at least I wanna be able to give advice like: "if you're installing TeamViewer in this machine, you won't be able to do X, Y and Z in it, because I'll disable it"; or: "you can install TeamViewer in any regular machine you want, it's safe in its default configuration; only this one *points to server* is off-limits".
My choice of TeamViewer was solely because it was straightforward to install in both Windows and Linux machines, and it just works (its cost is accessible too). But I'm open to other suggestions. I'm low both in budget and specialised staff, so I'm going for the simpler tools, but I wanna make a conscious decision whatever that is.
Take a look at this teamviewer safety analysis. In short, it's definitely not secure on untrusted networks: https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3
Conclusion: It is my recommendation that TeamViewer not be used on an untrusted network, or with the default password settings. TeamViewer does support increasing the password strength to a configurable length, and using alphanumeric passcodes, but it’s unlikely that casual users will have changed this setting.Keep in mind that there is a substantial attack surface in TeamViewer that needs more analysis such as the unauthenticated, plaintext communication between client to server (over 100 commands are supported and parsed on the client side), as well as many peer-to-peer commands, routed through the gateway server. Despite the danger to this much exposed attack surface, the risk is somewhat mitigated by an extensive use of std::string and std::vector instead of C-style strings and arrays.