PCI Compliant? (Remote access granted to compromised personal computer).
So I learned today that it is possible to assign a unassigned computer to our TeamViewer account. Thus, granting anyone who has a login to our TeamViewer account, regardless of how restricted you set their account, to assign the free version of TeamViewer using their TeamViewer login. This scenario generates IDs with "Unnamed" computers under the Connection Report and there is no way to block these.
The concern here is that if a user that has a TeamViewer login installs the free version of TeamViewer on say their home computer that could be compromised, then signs in on that computer from home to gain access to his/her work computer, then that compromised computer has all the access of that user in our environment.
I was told that there is no way to either block such Unnamed computers and that there is now way to prevent a user with a TeamViwer login from assigning computer to their account.
I am consulting with our PCI Auditor, but I am 99% sure that this would violate PCI based on the lack of Access Control. TeamViewer needs to implement some sort of Conditional Access and/or the ability to restrict assigning computer to certain accounts to restrict this behavior.
I have already tested this and I can gain access to all of my computers that are assigned from the Unnamed computer that is NOT assigned nor part of our enviroment and if compromised, who knows the end results.