Forum / Wayk Now - Feature Request

Allow only IT staff to connect to clients

  • Create an Issue
  • Cancel


Hi,

We are looking at Wayk now, but have some concerns that if the client is on the machine, anyone can phish and get a staff member to allow access to their machine. Is there some way that I can limit who can connect to the machines? Ideas I have are:

* Limit connections to come from an internal network (e.g. 10.191.0.0/16)
* Do not use the WayK Den server (not sure how this would work)
* Use a local Wayk Den server that does not communicate with the rest of the world.

Not sure if this is possible now or if this is a feature request.

Thanks,

ski

Clock6 mths


Hello ski

We don't expose a way inside the application to filter incoming connections. There are a few ways this could be tackled (and you already touched some good points in your post), but to answer this definitively we would need to know a bit more about your deployment.

Of course, you can choose to disable Wayk Den connectivity. Machines will still be able to connect to each other by IP address or hostname (connections are TCP over port 4489, although that is configurable).

Naturally it's difficult to address a machine in this way over the internet or complex network topology, which is an issue that Wayk Den largely solves. But since you mention limiting traffic to an internal subnet, maybe this doesn't apply to you?

If you're just working inside a private network, there shouldn't be anything stopping you from disabling Wayk Den and using local addresses.

Otherwise, a local Wayk Den server is another possibility. It's not available today, but is coming soon - the client needs certain prerequisites to support that, which we're integrating currently for the next release. So you can expect an announcement on this soon.

Please let me know if something isn't clear or you have further questions.

Richard Markievicz

signaturesignature

Clock6 mths

Hello again

A further security measure can be to disable "Secure Remote Password" and "Prompt for Permission". This will enforce logging in with Windows credentials.

Thanks again,

Richard Markievicz

signaturesignature

Clock6 mths

Thanks for your quick reply. The local addresses or the local WayK Den server should work for us as this is just for internal use. I am also thinking of setting a firewall policy on the clients that only allow certain clients or subnets to connect to port 4489. That would stop people from using WayK to break into our systems.

Clock6 mths

Hi,

With the current Wayk Den, users are not required to login to obtain an ID and join the Wayk Den network, but they do have to authenticate properly when connecting to other Wayk Now instances. My understanding is that since anybody can join the Wayk Den network, the concern is that there is no way to restrict who can attempt connecting, even if they don't know the correct password.

We are approaching an initial release of the Wayk Den on-premises, which you will be able to deploy separately from the public one (den.wayk.net). One thing we added is Windows Active Directory integration for the Wayk Den login. In other words, it would be possible to authenticate to Wayk Den using a Windows account, just to join a specific Wayk Den network. Because users can be logged in, we will be able to produce audit trails with better information (who connected to what machine, at what time, etc).

In your case, since you wish to restrict access only to the IT staff, maybe an option to enforce authenticated access to your private Wayk Den would be enough. This first login does not grant access to specific machines, it just becomes a requirement to join a specific Wayk Den peer-to-peer network. Would that be sufficient?

Marc-André Moreau

signaturesignature

Clock6 mths