Infrastructure
Commentary
6/2/2005
10:50 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Langa Letter: How To Ensure Remote-Control Security With XP

XP's built-in Remote Desktop, Remote Desktop Web Connection, and Remote Assistance are great tools, Fred Langa says, but only if you carefully manage their security implications.

When we first discussed XP's Remote Control tool in this space, we called it one of that operating system's "hidden gems: A built-in, simple way to control your PC from afar. It lets you do everything from basic file and data access up to fully taking over the keyboard and mouse of a distant PC, just as if you were sitting in front of it. What's more, XP Pro extends this remote-control ability to any and all versions of Windows -- all the way back to Win95, including Windows CE palmtop systems and XP Home -- via a FREE client software tool."

That first article runs through the similarities and differences among the tool's three major faces ("Remote Desktop," "Remote Desktop Web Connection," and "Remote Assistance"). It then shows you the pros and cons of each, shows you where to get the free client software, and most important, shows you how to use these remote-control options safely. If you're not familiar with these Remote Control services, that article would be a great place to start.

A more recent discussion in my newsletter delves further into some of the security implications of these services, and also prompted some excellent reader mail, such as this:

Fred, You mentioned that when connecting via Remote Desktop (Remote Control), the remote connector needs a valid account and a password on your system, and the connection is automatically encrypted. How secure is the connection? I tried (in vain) to set up a VPN to a client's office using a LinkSys Router on their end and SSH Sentinel client software on mine. Couldn't get it to work. But I can easily use Remote Desktop to connect to the machine I use at their office, it works fine. As this client is a CPA with thousands of tax clients, I'm particularly worried about the security of the connection. And, to take the concept one step further, I can also use Remote Desktop to connect to the server at the office (i.e., I Remote to my workstation, then Remote again from that workstation to the Server). That also works fine--but how secure is the connection? I use very strong passwords for both my account and the server admin account.
-- Sal Sorice

How secure is it? Well, there's no absolute measure for things like this, but the fuzzy answer is "adequate in itself, but easy to improve upon." Remote Control's encryption makes any actual data transfer relatively safe, but that's not the real danger. Rather, the more serious risk lies in some unauthorized person connecting to an idle PC with Remote Control enabled. At the least, they'd (obviously) have some access to data and files on that PC itself; and if the remote-controlled PC is on a LAN, then it's possible for the intruder to reach out to other PCs on the LAN, or even the server.

Clearly, you have to be careful with this kind of technology: Anytime you leave a figurative "door" open to the online world, there's obviously more risk than otherwise. But a Remote Controlled system can be made reasonably secure if you use all the available security tools and techniques:

Beefing Up Local Security
First, let's make it a given that any PC used for Remote Control ("RC") will have a good software firewall running (no "hardware only" solutions, such as relying solely on a router or server-level protection; see this for more information). Second, the PC used for RC must have a current, active, and reliable antivirus tool running; and also will have active (e.g., monitoring) and passive (e.g., Registry lockdown) anti-malware protections in place.

There are many such software tools from which to choose, but a good current list might include:

  • A firewall such as those from Sygate or ZoneAlarm
  • Antivirus systems from Symantec Norton , Nod32 , and AVG
  • Anti-malware such as MS AntiSpyware, SpywareBlaster, StartUpMonitor, WinPatrol, AdAware, and Spybot S&D.
  • Next, all unnecessary network-related services should be turned off on the remote-controlled PC, so that any users wishing to connect remotely are channeled through only known, controlled access points. For example, in most situations, you can safely disable "Messenger" services on the LAN; disable network PnP services; disable DCOM; etc. (See this site for free tools to control these services.) This closes several important "back doors" through which an intruder might try to enter.

    By default, Remote Control (RC), when enabled, allows any member of that PC's Administrator's group to connect. Therefore, any PC used for RC must -- must -- have all admin-level accounts secured with very strong passwords; and the passwords should be changed regularly so that any password-related security breach will be self-closing when the passwords expire. (You can get more information on password aging and expiration by searching the XP help file on "password age." A search on the more general phrase "password policy" will bring up additional security-enhancing options for managing passwords on your XP PCs. The Microsoft Knowledgebase also contains additional good information on password aging, such as this .

    Remote Control also can be set up to allow connection from specified non-admin users (right click My Computer/Properties/Remote then click "Select Remote Users..."). And that's actually the better way to use Remote Control: Connect with the lowest-privileged account that will let you accomplish your purpose. This way, even if someone makes an unauthorized connection to the non-admin account, they won't be able to do all that much. But, of course, even these lower-security Remote-Controllable accounts need strong passwords of their own to prevent people from easily breaking in in the first place.

    File Sharing needs to be carefully managed. An admin-level user can decide how much free rein a non-admin user will have in seeing files on a system; it's possible to make each account's files more or less private, so that non-admin users can't simply traverse the folder structure at will, grabbing files from other accounts. For more info, see "How to configure file sharing in Windows XP."

    Previous
    1 of 2
    Next
    Comment  | 
    Print  | 
    More Insights
    2014 Next-Gen WAN Survey
    2014 Next-Gen WAN Survey
    While 68% say demand for WAN bandwidth will increase, just 15% are in the process of bringing new services or more capacity online now. For 26%, cost is the problem. Enter vendors from Aryaka to Cisco to Pertino, all looking to use cloud to transform how IT delivers wide-area connectivity.
    Register for InformationWeek Newsletters
    White Papers
    Current Issue
    InformationWeek Tech Digest - July 22, 2014
    Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
    Flash Poll
    Video
    Slideshows
    Twitter Feed
    InformationWeek Radio
    Live Streaming Video
    Everything You've Been Told About Mobility Is Wrong
    Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.