Does Mesh Central support blanking remote screen
-
@jaredbusch said in Does Mesh Central support blanking remote screen:
What would you ever load on the remote instance that the user should not see?
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Doing end user support tasks, which is common with MeshCentral because it does remote GUI so not really for servers, means a LOT of situations where we are working on a system where a user is showing sensitive data and/or we are operating systems with said data. We often have to operate financial or medical or other sensitive applications because we support them. One major system we support automatically displays patient records upon initiation. Just testing if the application starts shows data (not SUPER sensitive, but not stuff that should be public to a customer.)
-
@krzykat said in Does Mesh Central support blanking remote screen:
@scottalanmiller So MC doesn't have an option for this as far as you know?
I could not find one. I'm asking our support team.
-
@jaredbusch said in Does Mesh Central support blanking remote screen:
Not a concern. If they want to try and nickel and dime, I fire them. I don't want those kinds of customers. If it is Bob in sales, I don't care at all. If I am in the principal contact system, I am likely on the phone the entire time anyway. Also they trust us. I don't care about user bitching.
That's valid, but I find almost everyone gets way to "micromanagery" if you let them. Why tempt fate?
That said, we use MC and don't have this feature. Just saying we'd like the option too.
-
@scottalanmiller said in Does Mesh Central support blanking remote screen:
@jaredbusch said in Does Mesh Central support blanking remote screen:
Why do you want this? I know it exists in other solutions. But the point of these tools is typically remote support. Who cares if the user can see the screen? I am truly interested in the answer.
For us, it comes up for a few reasons.
- Potentially showing private data on the screen and not knowing who can see it (or who can grab the mouse and use the logged in session.)
- Customers who won't stop interacting while you work (but we CAN disable their input, so that's covered.)
- Customers watching without understanding and complaining that they would do it better, differently, faster, blah blah blah, and interrupting instead of letting us work.
If I ask for remote help, and my input gets disabled and screen goes blank, I will unplug that shit immediately and never ask for help again. Wtf kind of private info are you displaying that the person reaching out for help shouldn't see?
-
@scottalanmiller said in Does Mesh Central support blanking remote screen:
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.
-
@jaredbusch said in Does Mesh Central support blanking remote screen:
@scottalanmiller said in Does Mesh Central support blanking remote screen:
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.
Hence the need to blank the screen so that it is the same as any VDI style medical system.
-
@scottalanmiller said in Does Mesh Central support blanking remote screen:
@jaredbusch said in Does Mesh Central support blanking remote screen:
@scottalanmiller said in Does Mesh Central support blanking remote screen:
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.
Hence the need to blank the screen so that it is the same as any VDI style medical system.
No he's saying IT should not have unmonitored access to PHI data. You are logged in as that user so it's not really auditable.
-
@scottalanmiller said in Does Mesh Central support blanking remote screen:
@jaredbusch said in Does Mesh Central support blanking remote screen:
@scottalanmiller said in Does Mesh Central support blanking remote screen:
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.
Hence the need to blank the screen so that it is the same as any VDI style medical system.
No, your people are the breech. You should not need to see random PHI to support anything. If there is a can't print chart issues, etc, there should be a generic, fake, patient that can be used.
-
just checked my test system, see no option of screen blanking. you can lock the user session though.
-
@scottalanmiller unfortunately, it seems the answer is No.
-
@jaredbusch said in Does Mesh Central support blanking remote screen:
@scottalanmiller said in Does Mesh Central support blanking remote screen:
@jaredbusch said in Does Mesh Central support blanking remote screen:
@scottalanmiller said in Does Mesh Central support blanking remote screen:
Why load? MOst of the time we log into machines that have that stuff already on the screen. We just cause the screen to unlock and don't know who can see it. VERY often for us, that this case comes up, it is a medical system in a room where a doctor may or may not be, and a patient may or may not be, and the patient may or may not have someone watching them.
Logging in to a remote system with potential PHI active on it without a user present? Never. Your entire scenario is a PHI data breach.
Hence the need to blank the screen so that it is the same as any VDI style medical system.
No, your people are the breech. You should not need to see random PHI to support anything. If there is a can't print chart issues, etc, there should be a generic, fake, patient that can be used.
I mean they are also managing peoples passwords and typing them in for the customers so you're already down a bad rabbit hole.
-
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
-
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
Then their option is to hire their own onsite personnel that handle the same tasks, won't be as qualified and cost them more money. If you don't trust your IT team ... well time to move on. I don't want any clients that don't trust us.
-
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
It's all about the data. PHI and confidential secrets should not be seen by support. Yes there may be a patient up on a screen when troubleshooting an issue, but you should not have the ability to scroll through records unaudited. When you blank out the screen you could query patient data under the user's login.
I worked at the hospital system that treated all patients of the Orlando mass shooting. Our hospital system was very proud that we saved every person that made it to the ER alive. Anyway, in the aftermath 6-8 employees were fired for accessing PHI that wasn't a need to know. In most cases it was a friend or someone close to the family.
-
@krzykat said in Does Mesh Central support blanking remote screen:
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
Then their option is to hire their own onsite personnel that handle the same tasks, won't be as qualified and cost them more money. If you don't trust your IT team ... well time to move on. I don't want any clients that don't trust us.
Insider threat is the number one threat.
-
@krzykat said in Does Mesh Central support blanking remote screen:
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
Then their option is to hire their own onsite personnel that handle the same tasks, won't be as qualified and cost them more money. If you don't trust your IT team ... well time to move on. I don't want any clients that don't trust us.
Yes exactly, either trust your support team or not, from time to time we may access the same vcenter guest console. Same difference with our support tool except we aren't authenticating to vcenter.
-
@irj said in Does Mesh Central support blanking remote screen:
@krzykat said in Does Mesh Central support blanking remote screen:
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
Then their option is to hire their own onsite personnel that handle the same tasks, won't be as qualified and cost them more money. If you don't trust your IT team ... well time to move on. I don't want any clients that don't trust us.
Insider threat is the number one threat.
True, but that isn't such a concern here more than just a basic lack of understanding of remote support tools and how console access works (to a physical or virtual system)
-
@irj said in Does Mesh Central support blanking remote screen:
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
It's all about the data. PHI and confidential secrets should not be seen by support. Yes there may be a patient up on a screen when troubleshooting an issue, but you should not have the ability to scroll through records unaudited. When you blank out the screen you could query patient data under the user's login.
I worked at the hospital system that treated all patients of the Orlando mass shooting. Our hospital system was very proud that we saved every person that made it to the ER alive. Anyway, in the aftermath 6-8 employees were fired for accessing PHI that wasn't a need to know. In most cases it was a friend or someone close to the family.
Fired "for accessing" is totally different than "weren't authorized to access." Any doctor would be in the same boat.
-
@irj said in Does Mesh Central support blanking remote screen:
@krzykat said in Does Mesh Central support blanking remote screen:
@dustinb3403 said in Does Mesh Central support blanking remote screen:
With another product I had a customer complain because we had to jump into a server because of performance issues, and they could graph that we too access the active console of the server (all virtual). And thought it was a security risk because we could potentially see confidential data.
Of course we are the domain administrator as well so...
Then their option is to hire their own onsite personnel that handle the same tasks, won't be as qualified and cost them more money. If you don't trust your IT team ... well time to move on. I don't want any clients that don't trust us.
Insider threat is the number one threat.
Yup, although even MSP support is still "insider" when used in that context. But it is true, employees of the primary company are a bigger threat than insiders of a secondary.