It seems the recent pcAnywhere vulnerability was a direct result of the Symantec source code theft, but generally speaking, how secure are these sorts of remote access software products? Are there any usage guidelines we should provide to our users?
Secure remote desktop access can be a life saver -- when you’re on the road getting ready to do that all-important presentation in front of your largest client and you realize you left the final copy on your workstation 100 miles away; or if you’re an administrator watching TV at home after a hard day and get called to check the status of a server you can only access from a thick client application on your computer at work.
Ask the Expert!
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
But secure remote access services can also be a useful tool for malicious hackers. If attackers gain access to a user's personal computer, they can bypass the firewalls and other boundary security protections that have been put in place to keep out unauthorized users, and get to the heart of a company’s internal workstations. Opening up access to remote employees using business workstations should be done with extreme caution.
In order to minimize unauthorized access, companies should take the time to implement a series of controls to ensure the right people are allowed to remotely access their workstations. While a series of secure remote access best practices are listed below, organizations need to first evaluate their current security technology capabilities, as well as weigh the risk of whether they want to allow remote desktop services. With that disclaimer in place, there are a number of usage guidelines that are generally applicable to most remote desktop access deployments:
- Minimize who uses remote desktop access - With so many of today's business applications allowing Web-based access, the need to remotely access another computer to do work is rarely required. But if access is still essential, ensure there are good reasons why someone needs to get to his or her desktop before even considering allowing access. Some valid considerations for remote desktop access might be: access to thick client applications for administrative or incident actions; retrieving files while working remotely for an extended period of time; or running batch or CRON jobs that must be started locally.
- Limit external access - Use SSL VPN technology to establish a connection to the enterprise network to ensure the remote access is authorized and encrypted. Also, know up front where users authorized for remote desktop access are coming from, and limit Internet access to fixed IP address ranges; do not open access to all Internet hosts.
- Know the remote system - Many SSL VPN servers can interrogate the remote system. This ensures the remote client has the right operating system; confirms the system is running a particular vendor’s antivirus software (and even validates that the latest virus signatures are loaded and, if an antivirus scan hasn’t been run in a while, can initiate one using the remote system’s software); and ensures workstation firewalls are operational. If this capability is available, the interrogation should be run before the user is presented with the SSL VPN login screen.
- Only allow remote desktop access - As part of the remote connection process, split tunneling should be turned off. If workers use the Internet while connected to their remote desktops, hackers could potentially capture the data that flows between the workstation and the remote user’s machine. So while remote users might be inconvenienced by turning off split tunneling, it will ultimately prevent hackers from performing this sort of man-in-the-middle attack initiated from the websites users may visit.
- Know the user - This is an appropriate use case for two-factor authentication. Requiring a hardware or software token as part of the authentication process will keep out malicious hackers who may have remotely taken over a worker’s home computer. Also, there is a psychological benefit with supplying a token credential at login time. The remote user will subconsciously be more security-aware knowing they are required to use a stronger credential than they normally use when in the office.
The final and most important guideline is to consider all the potential benefits of providing remote access, and the consequences of a compromised workstation. If a worker wants to have full remote access to a company computer that has access to highly sensitive information, or has administrative applications that could allow an external person to compromise the enterprise’s operations or information, it may be best to just say “no” and require them to come into the office during off-hours if needed.
This was first published in June 2012