File Transfer without Windows password
When I start a remote connection to a unattended Windows host, it brings me to the login screen for the host. I will then need to enter a Windows username/password to gain remote access.
However, when I start a File Transfer connection to the same host, if a user has been logged in (but machine locked / sat at login screen) I can manipulate the files without logging in to Windows.
I'm coming to TV from **Third Party Product**, which requires a Windows password to the host regardless of what type of connection.
Technically, if my TV account was compromised, nobody could gain remote control of any hosts I was connected to, however they would get full access to files for every host linked to my account.
The hosts are all on different domains so the requirement for a domain username/password adds a considerable layer of security.
I have tried to use 'File Transfer after accepted on host', however you can not click the 'Allow' box from the remote session.
Comments
-
Hi @peter_g,
When you connect to another computer using the Remote Control mode, TeamViewer will simply show you whatever is on the remote computer's screen. So if the remote computer is logged into a Windows account, you'll see the remote user's desktop and whatever programs are open on their screen. If the remote computer is logged into a Windows account but subsequently locked (via Win+L), you'll see their Windows lock screen. And if the remote computer is not logged into an account at all, you'll see their Windows login screen.
If it's locked or not logged in, you will, of course, need to know the credentials of the Windows account of the remote computer in order to unlock or log into the remote computer again. Just as you would if you were physically standing at the remote computer. But if it's already logged in and showing the user's desktop, then you don't need to enter any Windows credentials to connect and see the desktop. The fact that you know the remote computer's TeamViewer permanent password - which is required for unattended access - proves that you have the permission or right to access that computer.
When it comes to using the File Transfer mode, a similar principle applies. If the remote computer is already logged into a Windows account, then you will be able to access its files and folders with the File Transfer window. This will also be the case if the remote computer is logged into a Windows account and subsequently locked, because even though it's locked, it's still logged into the Windows account. And you are connecting to it using its permanent TeamViewer password.
However, if the remote computer is not logged into any Windows account at all, then you will not be able to use the File Transfer mode. If you try, you'll get this error message on your computer:
TeamViewer's permanent "Personal Password" is what gives you the authority to connect unattended to the remote computer. Therefore it's important that only authorised, trusted people have access to the Personal Password. But even when you know the Personal Password, you're still restricted in what you can do if the remote computer is not logged into a Windows account. In that case you will also need to know the credentials of the remote Windows account in order to sign into that account.
It would also be advisable to protect your own TeamViewer account with two-factor authentication, which ensures that your account can't be compromised by someone else. Info on how to set that up can be found here:
https://community.teamviewer.com/t5/Knowledge-Base/Two-factor-authentication-Activation-and-Deactivation/ta-p/66Regards,
Jeremy
TeamViewer Quality Assurance Engineer1 -
Hi Jeremy,
You are right, the only way to force the Windows log in is to have a remote PC in Log Off state. Nevertheless, this is not always practical. The user of the remote PC must always log out after the each session, and in day-to-day operation this will never be consistent. Why not to have the File Transfer as a set option? This way, the person who issetting up the system, will have an option to allow the quick access to the File Transfer, or the user will be forced to use a Remote Control, and then next to choose the File Transfer while "inside" the remote PC.
Regards,
Ziggy
0 -
Hi @zsroga,
What you could do in this case is configure the Access Control setting on the remote computer, to either block or require confirmation of the File Transfer mode.
To do that, on the remote PC, go into the Advanced page in TeamViewer's options, and look for the Access Control settings within the section called "Advanced settings for connections to this computer".
Change it to "Custom settings", then click the Configure button underneath. Then you can set the "Transfer files" value to either "After confirmation" or "Denied".
If you set it to "After confirmation", it means the person using the remote computer will see a confirmation box on their screen when you try to start a file transfer connection to their computer. They'll have 30 seconds to confirm it. Therefore, if nobody is using the remote computer at the time, you won't be able to use the File Transfer mode. But you could still use the Remote Control mode to connect to the remote computer as per usual.
Regards,
Jeremy
TeamViewer Quality Assurance Engineer0 -
"When it comes to using the File Transfer mode, a similar principle applies"
It's not a similar principle.
Desktop - not logged in or locked requires Windows account
File Transfer - not logged in requires account, but locked does not
**Third Party Product** requests Windows credentials to connect to the machine regardless of what you want to do with it.
All somewhat irrelevant if on same domain, but considering unattended access could cover many different customers servers, one TV account hack could compromise every customers network.
0 -
"If you set it to "After confirmation", it means the person using the remote computer will see a confirmation box on their screen when you try to start a file transfer connection to their computer."
We're referring to unattended access of servers. When using **Third Party Product** or **Third Party Product** you can simply close it and next connection requires passwords.
0 -
Hi,
I had in mind the unuttended access during the time when there is nobody in the office. The "After confirmation " option is not practical. What is **Third Party Product** or **Third Party Product**?
Thanks,
Ziggy
0 -
RDP - standard Windows Remote Desktop.
**Third Party Product**- **Third Party Product**- product I currently use.
0 -
Thanks, I thought so.
I still belive that TeamViewer engineeers could incorpoarte it into the program GUI.
Regards,
Ziggy
0