Remote user security checklist

At some point in time, odds are you've had remote users connecting to your network. Telecommuting has several proven productivity and environmental benefits, but it doesn't come without its drawbacks -- mostly in the form of information security risks. What happens if your remote users' computers have viruses or they transmit sensitive e-mails and instant messages over an unsecured wireless link? How about when systems that aren't properly protected can connect directly to your network -- thus offering a direct inbound link to anyone wanting to get inside and poke around maliciously.

Arguably, lots of bad things can happen. Unauthorized information access can take place, information leakage can occur, and there's always a possibility that malware can seep in through your otherwise hardened network border.

Before you create any new policies or lock down your remote systems, it's very beneficial to determine which remote access vulnerabilities currently exist in your environment. Doing that not only finds missing patches, but it also digs in deeper to find misconfigurations, unnecessary shares, null session connections and other exploitable vulnerabilities you would not otherwise be able to dig up easily. I suggest you use a vulnerability assessment tool such as Tenable Network Security's NeWT, GFI Software Ltd.'s LANguard Network Security Scanner, Qualys Inc.'s QualysGuard.

MORE INFORMATION Visit our remote security resource center for news, tips and expert advice. View this presentation from Information Security Decisions and learn how to use IPsec and SSL VPNs to solve remote access problems.

Use one (or more) of these tools on your internally supported images for laptops and desktops and, if it makes sense, test remote systems owned by your users as well. If the latter is not an option for political or resource limitation reasons, you could easily document instructions for your remote users to do it themselves. Consider having them install and run the Microsoft Baseline Security Analyzer (MBSA) on their systems and sharing the reports with you. You could even automate this via login scripts and/or Group Policy in Windows. Remember, there are reasons your organization's assets must be protected.

Once you've determined where your weaknesses exist and have addressed the issues, use the following checklist of common and not-so-common security safeguards to be sure you've got your remote systems locked down:

1. Ensure that personal firewall software is installed (Windows Firewall in XP SP2+, BlackICE and so on) and at least provides inbound protection -- outbound application protection is nice, especially if you can configure it so your users aren't hindered by the constant outbound connection requests.
2. Require malware protection (antivirus and antispyware) on every system and ensure that updates are being applied in real-time if possible to prevent unnecessary infections.
3. Enable strong file and share permissions on remote hard drives and other storage devices -- especially on Windows 2000 and NT systems that allow everyone full access by default.
4. Have a written policy and documented procedures in place for managing patches. For example, enable real-time Automatic Updates or roll out patches using an existing patch management system.
5. Disable null session connectionsto prevent the unauthorized gleaning of user names, security policy information and more from remote systems.
6. Implement a VPN (the free Windows-based PPTP is a decent option) or make sure you're running a secure alternative connection such as Windows Remote Desktop or Citrix.
7. Remember to include remote users, computers and applications in your security incident response plan and disaster recovery plans. Those are common oversights that can rattle your nerves if they catch you off guard.
8. Your users will likely download and install IM, P2P and other applications that you can't support or otherwise make you nervous, so be prepared to prevent it in the first place via accounts with minimal privileges (think Windows Vista new feature) and periodic scans of systems looking for such software. Or, standardize on a small number of applications you can manage comfortably. They're going to do it anyway, so the latter option might be the easiest.

For systems configured to use 802.11-based wireless (or ones that may be used as such in the future), don't forget the following safeguards:

1. Enable WEP at a minimum since it's a lot better than nothing, but ideally have users enable WPA2-PSK with strong (20+ random characters) pass-phrases.
2. Require your users to use directional antennae instead of the omni-directional ones that come stock on practically all APs.
3. Enable MAC address controls, which help keep non-techies from snooping or accessing your network (techies know how to spoof their MAC addresses to get around this).
4. If possible, require a specific vendor/model of AP and wireless NIC to ensure they're hardened consistently according to your standards and so you can stay abreast of any major security alerts and necessary firmware or software updates.
5. Remember that users may connect to your network via public hotspots, so make sure you and they understand the security implications and have the proper safeguards in place.
6. Enable secure messaging if a VPN or other hotspot protection is not available via POP3s, SMTPs, Webmail via HTTPS and other built-in controls.
7. Disable Bluetooth if it's not needed. Otherwise, it's too risky by default so lock it down.

These relatively simple and mostly free remote access safeguards, combined with a reasonable information security awareness program, will go a long way toward securing your offsite computers and protecting those things you cannot afford to lose.

About the author:
Kevin Beaver is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Beaver has written five books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach).

This tip originally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG NAC and Endpoint Security Management,   Secure Remote Access,   Enterprise Network Security,   Client security,   Wireless Network Security: Setup and Tools,   Wireless LAN Design and Setup,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Secure Remote Access Information security book excerpts and reviews Endpoint protection best practices manual: Combating issues, problems Best Mobile Data Security Products Perimeter defense in the era of the perimeterless network Securing the intranet with remote access VPN security What security software should be installed on Internet café computers? Diverse mobile devices changing security paradigm Cisco warns of security appliance flaws How to configure NAP for Windows Server 2008 Can home PCs provide a way for viruses and spyware to enter a corporate LAN? Client security How to keep networks secure when deploying an 802.11n upgrade InZero Systems launches hardware-based security gateway DLP technology challenges security costs Endpoint protection best practices manual: Combating issues, problems Kaspersky update for SMBs in wake of free Microsoft Security Essentials Microsoft makes free antivirus software widely available Security best practices in hotels Best Antimalware Products Perimeter defense in the era of the perimeterless network Microsoft Security Essentials (MSE) shows no vision, expert says Wireless LAN Design and Setup Wireless network guidelines for PCI DSS compliance Best Wireless Security Products How to prevent wireless DoS attacks Lesson 4 quiz: How to use wireless IPS Wireless intrusion prevention systems: Overlay vs. embedded sensors Rogue AP containment methods How to monitor WLAN performance with WIPS The role of VPN in an enterprise wireless network Wireless AP placement basics Lesson 3 quiz: Who goes there? Wireless LAN Design and Setup Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication  (SearchSecurity.com) RADIUS  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.