3

I'd like to block incoming TeamViewer connections to my network, but at the same time to allow outgoing TeamViewer connections.

So that users can't connect to their work PCs with TV (circumventing domain authentication) but at the same time could connect to clients PCs to help fix problems.

Is it at all possible?

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
  • 2
    Why would connecting to their work computers circumvent domain authentication? Remote control software allows you to connect to the computer, but you still need to log on to the computer (or be logged on to the computer already) with appropriate credentials, which in an AD domain would be the domain user account. They could log on to the computer with a local user account but they can do that regardless of remote control software. – joeqwerty Jul 11 '11 at 13:36
  • when the TV is running and somebody else is using the computer you still can get access. Disabling account in domain also won't kick user from local session. Also they can't login to a PC if it's behind a firewall and not running remote access software. They can if TV is running as a service and have created local user account even after disabling domain login – Hubert Kario Jul 11 '11 at 13:47

3 Answers3

4

It's impossible to block in traditional firewall. You'll need some kind of packet-analyzer.

Or you could create a GPO that sets the following registry-key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TeamViewer\Version6\Security_AcceptIncoming REG_DWORD=0

This disables incoming connections.

Nico Idskov
  • 76
  • 2
1

You could try to disable incoming connections on the ports Teamviewer uses. I'm sure TV uses the following ports;

5938/tcp
80/tcp

and maybe also 

443/tcp
5939/tcp

or maybe you can do something with the url TV uses for connection.

*.teamviewer.*
*dyngate*

dont know if you need those urls for outgoing connections but you can test that.

tommii
  • 19
  • 1
0

In most cases, the network paths that applications use are asymmetrical; that is, you can block the appropriate port on incoming traffic to prevent incoming connections, but allow traffic on that port to leave to permit outgoing ones.

If you're working with Windows computers that are on a domain, you can use Active Directory Group Policies to configure the Windows Firewall on those computers to block the appropriate incoming ports.

However, in the specific case of TeamViewer, they provide a client program that a user can run which connects to TeamViewer's servers and routes incoming connections along that path; thus, an incoming firewall wouldn't be sufficient. You would also need to set up a rule (either with Windows Firewall or elsewhere on your network) to block traffic going to teamviewer.com, but then your users wouldn't be able to use the tool themselves.

In short, I don't think it'll be easy to block the TeamViewer application from accepting incoming connections, while still allowing it to start outgoing ones. What I would do in this situation is to install Wireshark on a client computer and profile the network traffic involved in both an incoming connection with the client listening, and in an outgoing connection to work on a different computer. It's possible there'll be some types of traffic that appear on only the incoming connection, which you can then block with the Windows Firewall to prevent those connections from working.

Handyman5
  • 5,177
  • 25
  • 30
  • From searching the 'net I found that to block it you need to add rules denying access to TV servers on proxy or IDS level. As far as OS and firewall is concerned TV is behaving like a web browser -- the last application I'd want to disable. – Hubert Kario Jul 11 '11 at 21:52
  • Yeah, I'd suspected as such. If you didn't need people to be able to use the application to connect out, then blocking everything at teamviewer.com would probably do the job; but I don't think there's a way to have both. – Handyman5 Jul 11 '11 at 23:00