Langa Letter: How To Ensure Remote-Control Security With XP
XP's built-in Remote Desktop, Remote Desktop Web Connection, and Remote Assistance are great tools, Fred Langa says, but only if you carefully manage their security implications.
When we first discussed XP's Remote Control tool in this space, we called it one of that operating system's "hidden gems: A built-in, simple way to control your PC from afar. It lets you do everything from basic file and data access up to fully taking over the keyboard and mouse of a distant PC, just as if you were sitting in front of it. What's more, XP Pro extends this remote-control ability to any and all versions of Windows -- all the way back to Win95, including Windows CE palmtop systems and XP Home -- via a FREE client software tool."
That first article runs through the similarities and differences among the tool's three major faces ("Remote Desktop," "Remote Desktop Web Connection," and "Remote Assistance"). It then shows you the pros and cons of each, shows you where to get the free client software, and most important, shows you how to use these remote-control options safely. If you're not familiar with these Remote Control services, that article would be a great place to start.
A more recent discussion in my newsletter delves further into some of the security implications of these services, and also prompted some excellent reader mail, such as this:
Fred, You mentioned that when connecting via Remote Desktop (Remote Control), the remote connector needs a valid account and a password on your system, and the connection is automatically encrypted. How secure is the connection? I tried (in vain) to set up a VPN to a client's office using a LinkSys Router on their end and SSH Sentinel client software on mine. Couldn't get it to work. But I can easily use Remote Desktop to connect to the machine I use at their office, it works fine. As this client is a CPA with thousands of tax clients, I'm particularly worried about the security of the connection. And, to take the concept one step further, I can also use Remote Desktop to connect to the server at the office (i.e., I Remote to my workstation, then Remote again from that workstation to the Server). That also works fine--but how secure is the connection? I use very strong passwords for both my account and the server admin account. -- Sal Sorice
How secure is it? Well, there's no absolute measure for things like this, but the fuzzy answer is "adequate in itself, but easy to improve upon." Remote Control's encryption makes any actual data transfer relatively safe, but that's not the real danger. Rather, the more serious risk lies in some unauthorized person connecting to an idle PC with Remote Control enabled. At the least, they'd (obviously) have some access to data and files on that PC itself; and if the remote-controlled PC is on a LAN, then it's possible for the intruder to reach out to other PCs on the LAN, or even the server.
Clearly, you have to be careful with this kind of technology: Anytime you leave a figurative "door" open to the online world, there's obviously more risk than otherwise. But a Remote Controlled system can be made reasonably secure if you use all the available security tools and techniques:
Beefing Up Local Security
First, let's make it a given that any PC used for Remote Control ("RC") will have a good software firewall running (no "hardware only" solutions, such as relying solely on a router or server-level protection; see this for more information). Second, the PC used for RC must have a current, active, and reliable antivirus tool running; and also will have active (e.g., monitoring) and passive (e.g., Registry lockdown) anti-malware protections in place.
There are many such software tools from which to choose, but a good current list might include:
Next, all unnecessary network-related services should be turned off on the remote-controlled PC, so that any users wishing to connect remotely are channeled through only known, controlled access points. For example, in most situations, you can safely disable "Messenger" services on the LAN; disable network PnP services; disable DCOM; etc. (See this site for free tools to control these services.) This closes several important "back doors" through which an intruder might try to enter.
By default, Remote Control (RC), when enabled, allows any member of that PC's Administrator's group to connect. Therefore, any PC used for RC must -- must -- have all admin-level accounts secured with very strong passwords; and the passwords should be changed regularly so that any password-related security breach will be self-closing when the passwords expire. (You can get more information on password aging and expiration by searching the XP help file on "password age." A search on the more general phrase "password policy" will bring up additional security-enhancing options for managing passwords on your XP PCs. The Microsoft Knowledgebase also contains additional good information on password aging, such as this .
Remote Control also can be set up to allow connection from specified non-admin users (right click My Computer/Properties/Remote then click "Select Remote Users..."). And that's actually the better way to use Remote Control: Connect with the lowest-privileged account that will let you accomplish your purpose. This way, even if someone makes an unauthorized connection to the non-admin account, they won't be able to do all that much. But, of course, even these lower-security Remote-Controllable accounts need strong passwords of their own to prevent people from easily breaking in in the first place.
File Sharing needs to be carefully managed. An admin-level user can decide how much free rein a non-admin user will have in seeing files on a system; it's possible to make each account's files more or less private, so that non-admin users can't simply traverse the folder structure at will, grabbing files from other accounts. For more info, see "How to configure file sharing in Windows XP."
2014 Next-Gen WAN SurveyWhile 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
The UC Infrastructure TrapWorries about subpar networks tanking unified communications programs could be valid: Thirty-one percent of respondents have rolled capabilities out to less than 10% of users vs. 21% delivering UC to 76% or more. Is low uptake a result of strained infrastructures delivering poor performance?
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?