Software // Enterprise Applications
Commentary
2/20/2003
05:26 PM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: XP Professional's "Remote Control" Option

Fred Langa explains how this little-known feature of Windows can be a life-saver if used cautiously.

Security Issues
Opening a system to outside control is a scary thing, a potentially huge security hole. (This isn't unique to Microsoft's implementation; it's true of all remote-control technologies and applications.) Thus, some thought must be given to how you set up and use remote access.

By default, XP restricts remote access only to Administrators of a given PC: Only members of the Administrators group can enable Remote Desktop, for example, and only they can add people to the list of users allowed to connect to that PC. Each user on the list of allowed remote connectors must also have a normal user account on the host system. In other words, accessing an XP box by remote control requires two levels of permissions: Someone wishing to access a PC must have a normal user account on that system, and that account must also specifically be in the subgroup of remote users.

But there's a catch: All Admin-level accounts are automatically included in the remote-access group. This is a potential problem--it's unwise to use an Admin-level account for remote access. It's much safer to use only less-privileged, non-Administrator accounts (such as those in the User or Power User group) because this will limit the potential damage that can be done to the host system if a remote-access account is compromised, hacked, or infected with a Trojan, worm, or virus.

This is actually one of the reasons why XP has Fast User Switching. The idea is that you set your primary account in the Power User or User group, and then employ Fast User Switching to jump to an Admin account only when needed. In fact, if this were done all the time, the risk of systemwide damage from all kinds of trouble, not just remote-access issues, would be reduced.

But in the real world, many people live inside an Admin-level account all the time, leaving the system more vulnerable to major problems than otherwise, especially as these Admin-level accounts are automatically included in the remote-access group.

For all these reasons, proper use of passwords is essential on any system used for remote access.

Passwords And Availability
Passwords may be the weakest link in any remote-access system: Without good passwords, a hacker may be able to guess his or her way into an admin-level account; or into a lower-level account, which then can be used as a base for a "privilege elevation" hack to boost the compromised account to Admin status.

Because of this, all the accounts, but most especially Admin-level accounts, need a very strong password. That's defined as one:

  • At least seven characters long
  • Containing at least one number and one symbol (e.g., punctuation) character
  • Significantly different from prior passwords
  • Not containing your name or user name or any simple variation thereof
  • Not a common word or name (nothing found in a dictionary)

Of course, managing obscure passwords is a hassle, which is why so many people use only weak passwords. A relatively weak password may not be a huge risk for a private PC, but becomes a major liability once that same PC can be taken over from afar. For any kind of remote access, a strong password is an absolute must.

The best passwords are totally random. There are many software tools that can help generate excellent passwords, and a few also can help you securely store your passwords. I particularly like "AI RoboForm" (http://www.roboform.com/) which is a secure form-filler, encrypted filer, and password generator: When I need a password, I can generate a random string like "Dx*SHeOAniy&ju" with one click. The software also can store the password in any of several secure ways for later retrieval, so you won't go nuts trying to remember it.

Previous
2 of 4
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 7, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program!
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.