In migrating to a newer Windows desktop OS, we are considering a shift in strategy for remote
access computers. It would be our intent to migrate to a remote
control solution like Windows XP Remote Desktop, PCAnywhere, etc. In this scenario, the
internal client would have a desktop with all their apps and data, and their remote access unit
would have nothing except a Web browser and a remote desktop solution liks Win Remote Desktop or
PCAnywhere. What are the risks and advantages? What about the risks of the underlying protocols
like RDP? Looking for technical insights and Best Practices here also.
The risks here are three-fold. First, an attacker or worm could undermine the user's remote PC and use it as a jumping off point to get into your network. Suppose your user gets infected with a virus or worm. That worm could sit on their PC until they start using the remote data service, and then spread to your internal network. We did see some of this occurring with SQL Slammer. Second, an attacker could undermine the protocol used for access. If the vendor who wrote the remote-access tool (Microsoft, PCAnywhere, etc.) made a mistake, an attacker could get direct access to your network. This may seem unlikely, but it is possible. The third risk is even likelier: An attacker could undermine the password your users set and authenticate as a user to get access. If users are allowed to select their own static user ID and password, you are hosed, as they will select easy-to-guess passwords.
So, how do you avoid each of these concerns, and what are the best practices? First off, make sure you install a personal firewall (like Zone Alarm or BlackIce) on each remote desktop to protect them. That'll deal with the first concern. Secondly, use a VPN for access. Tunnel all traffic over the encrypted and strongly authenticated VPN to make sure everything is safe. A bonus for this is that other applications besides remote desktop access will be available. Thirdly, use a strong form of authentication, such as a token or smart card. Don't just rely on static user IDs and passwords. With these three defenses, you minimize the risks of remote access.
Hope this helps!
For more information on this topic, visit these other SearchSecurity.com resources:
- Strom's Security Tool Shed: GoToMyPC a nifty
utility, but can skirt security measures
- Ask the Expert: Blocking remote
access Web sites
- Best Web Links: Infrastructure
and Network Security
This was first published in February 2003