How To Ensure
Remote-Control Security With XP
XP's built-in Remote Desktop, Remote De=
sktop
Web Connection, and Remote Assistance are great tools, Fred Langa says, but
only if you carefully manage their security implications.
By
Fred Langa, June
6, 2005
URL: http://www.informationweek.com/story/showArticle.jhtml?articleID=
=3D164300008
That first article runs through the similarities and differences among t=
he
tool's three major faces ("Remote Desktop," "Remote Desktop =
Web
Connection," and "Remote Assistance"). It then shows you the
pros and cons of each, shows you where to get the free client software, and
most important, shows you how to use these remote-control options safely. If
you're not familiar with these Remote Control services, that article woul=
d be a
great place to start.
A more recent discussion in my newsletter
delves further into some of the security implications of these services, and
also prompted some excellent reader mail, such as this:
Fred, You mentioned that wh=
en
connecting via Remote Desktop (Remote Control), the remote connector needs a
valid account and a password on your system, and the connection is
automatically encrypted. How secure is the connection? I tried (in vain) to=
set
up a VPN to a client's office using a LinkSys Router on their end and SSH
Sentinel client software on mine. Couldn't get it to wo=
rk.
But I can easily use Remote Desktop to connect to the machine I use at their
office, it works fine. As this client is a CPA with thousands of tax client=
s,
I'm particularly worried about the security of the connection. And, to take=
the
concept one step further, I can also use Remote Desktop to connect to the
server at the office (i.e., I Remote to my workstation, then Remote again f=
rom
that workstation to the Server). That also works fine--but how secure is the
connection? I use very strong passwords for both my account and the server
admin account.
-- Sal Sorice
How secure is it? Well, there's no absolute measure for things like this,
but the fuzzy answer is "adequate in itself, but easy to improve
upon." Remote Control's encryption makes any actual data transfer
relatively safe, but that's not the real danger. Rather, the more serious r=
isk
lies in some unauthorized person connecting to an idle PC with Remote Contr=
ol
enabled. At the least, they'd (obviously) have some access to data and file=
s on
that PC itself; and if the remote-controlled PC is on a LAN, then it's poss=
ible
for the intruder to reach out to other PCs on the LAN, or even the server. =
Clearly, you have to be careful with this kind of technology: Anytime you
leave a figurative "door" open to the online world, there's obvio=
usly
more risk than otherwise. But a Remote Controlled system can be made reason=
ably
secure if you use all the available security tools and techniques:
Beefing Up Local Security
First, let's make it a given that any PC used for Remote Control
("RC") will have a good software firewall running (no "hardw=
are
only" solutions, such as relying solely on a router or server-level
protection; see th=
is
for more information). Second, the PC used for RC must have a current, acti=
ve,
and reliable antivirus tool running; and also will have active (e.g.,
monitoring) and passive (e.g., Registry lockdown) anti-malware protections =
in
place.
There are many such software tools from which to choose, but a good curr=
ent
list might include:
· A firewall such as those fr=
om Sygate or ZoneAlarm
· Antivirus systems from Symantec Norton , Nod32 , a= nd AVG <= o:p>
· Anti-malware such as MS AntiSpyware, SpywareBlaster,
Star=
tUpMonitor,
WinPatrol, AdA=
ware,
and Spybot
S&D.
Next, all unnecessary network-related services should be turned off on t=
he
remote-controlled PC, so that any users wishing to connect remotely are
channeled through only known, controlled access points. For example, in most
situations, you can safely disable "Messenger" services on the LA=
N;
disable network PnP services; disable DCOM; etc. (See this site=
for
free tools to control these services.) This closes several important "=
back
doors" through which an intruder might try to enter.
By default, Remote Control (RC), when enabled, allows any member of that
PC's Administrator's group to connect. Therefore, any PC used for RC must --
must -- have all admin-level accounts secured with very strong passwords; a=
nd
the passwords should be changed regularly so that any password-related secu=
rity
breach will be self-closing when the passwords expire. (You can get more in=
formation
on password aging and expiration by searching the XP help file on
"password age." A search on the more general phrase "password
policy" will bring up additional security-enhancing options for managi=
ng
passwords on your XP PCs. The Microsoft Knowledgebase also contains additio=
nal
good information on password aging, such as this .
Remote Control also can be set up to allow connection from specified
non-admin users (right click My Computer/Properties/Remote then click
"Select Remote Users..."). And that's actually the better way to =
use
Remote Control: Connect with the lowest-privileged account that will let you
accomplish your purpose. This way, even if someone makes an unauthorized
connection to the non-admin account, they won't be able to do all that much.
But, of course, even these lower-security Remote-Controllable accounts need
strong passwords of their own to prevent people from easily breaking in in =
the
first place.
File Sharing needs to be carefully managed. An admin-level user can deci=
de
how much free rein a non-admin user will have in seeing files on a system; =
it's
possible to make each account's files more or less private, so that non-adm=
in
users can't simply traverse the folder structure at will, grabbing files fr=
om
other accounts. For more info, see "How to configure file sharing in Windows XP."
General LAN access likewise has to be managed, if the RC PC is on a network:
Sensitive files on all the LAN's PCs should be locked down (either by setti=
ng
up file-sharing access via Groups, or at least using password-level protection).=
It's
probably OK to leave "Shared Folders" generally accessible; that's
what they're there for: A remote user usually can drop off or pick up files=
in
a Shared Folder without compromising the general security of a PC. But even=
the
simple Shared Folder offers several security options, as is described in How to disable simplified sharing and set permissions on a
shared folder in Windows XP. Use the highest security setting you can,
short of making access too hard for normal use.
And, of course, all admin accounts on all PCs and servers on any LAN also
should have strong passwords. (Actually, it's simpler to say "all acco=
unts
on all systems must have strong passwords," but in the real world, tha=
t's
probably not going to happen. So: at least the admin-level accounts =
must
have strong pa sswords.)
The idea in all of the above, of course, is to make it hard for an intru=
der
to discover the PC that can be controlled remotely; and then, if they do
discover it, to make it hard for them to actually gain any access to that P=
C;
and, if they do gain access, to make it hard for them to gain potentially
harmful privilege levels on that PC; and to make it difficult for the intru=
der
to access the LAN; and if they do get on the LAN, make it hard for them to =
gain
access to other machines or files there.... Whew!
You get the idea: By having so many barriers in the way of an intruder, =
you
can make illicit access highly unlikely in the first place; and then severe=
ly
constrain potential exposure and damage, even in a worst-case scenario, whe=
re
someone does hack into a RC PC.
It also helps enormously NOT to leave Remote Control enabled and availab=
le,
until or unless it's going to be needed. For example, you might turn it on =
as
you're leaving the office, and then turn it off from home when you're done =
for
the night.
And note that in many of the above steps strong passwords are key: An intruder faced with a series of different, uni=
que,
difficult, and un-guessable passwords at every access level to a system or =
LAN
faces a much harder task than otherwise. Absent some driving personal
motivation, most casual hackers will simply give up and look for easier tar=
gets
-- and that's what you want. Although in theory almost any system can be
hacked, if you make yours much, much harder to get into than the guy next
door's, most hackers will go after the easier target.
For more information on safe passwords, see "How
To Safely Store And Manage Passwords"; =
we'll
also update the information in that article in an upcoming column.
Remote Control Services: Proceed With Caution
Once you start using them, you may wonder how yo=
u got
along without XP's Remote Control services: I use it literally every day to=
help
manage the PCs in my office.
But you do have to be aware of the security implications, and take proper
steps to ensure that only authorized users can access the Remote Controllab=
le
PCs. With the information above, you should be able to do just that!