A farmer went to the hardware store in a nearby town and purchased the very best, most expensive padlock to secure his barn.
He took it home, removed the packaging, attached the lock and then left the key in it. It just seemed too much trouble to have to remember where the key was every time he wanted to enter the barn.
Are we surprised that he discovered his horses and his tractor were missing the next morning? So it is with remote desktop security as well.
Developers continue to enhance powerful existing security measures, and leading remote-access companies recognize the importance of white-box audits that look at every line of code to ensure defense against intrusions.
Even the most secure remote desktop solutions, however, are strengthened dramatically with the adoption of best practices by IT administrators and the people they serve. They’re the folks who fasten the padlock tight.
Here are the five critical steps that IT professionals and users need to take to establish optimal remote desktop security.
Verify end-to-end encryption
Encrypted connections are the baseline to ensure a secure remote desktop connection. This is so obvious that IT professionals may assume that encryption is in place or simply overlook the need to ask questions of their remote-access vendor. Most providers rely on industry-standard protocols to secure the application or service. But beyond this, ask for more detail. Is encryption really end-to-end? Who holds the encryption keys? What data is encrypted? Is data encrypted only when it’s in transit? What about data at rest? Can sessions be replayed offline by a man-in-the-middle capturing the encrypted session data? Ultimately, is the remote desktop secure?
Assume that every connection is made in a hostile environment. Paranoid? Maybe, but it’s a good assumption to ensure encryption is complete.
Configure secure authentication
While many IT administrators instinctually gravitate toward development of a new layer of authentication for a secure remote desktop, simplicity often provides a better approach.
Simplicity translates into reliance on the policies and authentication local to the machine that is being accessed - or by leveraging an organization’s existing single sign-on infrastructure. This saves users the trouble of learning - and then forgetting or leaking - additional passwords. IT teams, meanwhile, don’t need to learn a different process for management of remote-access functions. Additionally, by using mature single sign-on solutions such as Microsoft AzureAD, additional controls can be placed on user sessions - requiring re-authentication after a period of time, requiring additional authentication checks when logging in from new devices/locations or blocking logins from specific countries or regions completely.
Multi-factor authentication - some combination of something youknow (your password), something you have (the cell phone in your hand or a certificate) or something you are (the fingerprint that’s scanned) can drastically increase the remote desktop security. The addition of push notifications on connection, meanwhile, alerts a user whenever a connection is attempted and, when coupled with an accept/deny prompt, an additional level of verification and potentially an immediate alert of something untoward in the unlikely event of a hack is achieved.
Consider cloud-brokered connections
While remote desktop security is certainly invaluable in many use cases, it’s important to remember that these solutions - like any software - can present significant security issues when exposed to the public internet.
Essentially, these applications require system administrators to open ports in firewalls to allow access. Further, doing this creates a fingerprint on the Internet. An intruder need only turn to run a basic port scan or use a specialized search engine to discover which networks are exposing ports.
Remote desktop security solutions that rely on cloud-brokered connections, by contrast, are not discoverable. Potential intruders are far less likely to take a sledgehammer to the door of a house they can’t see. And the value of firewalls that remain intact is self-apparent.
Enforce strong policies
Yes, discussion of policies is boring and enforcement of policies is highly annoying. Yet, for all the boredom and annoyance they entail, strong and well-enforced policies are among the important building blocks of a secure remote desktop.
Much of this is standard practice at most organizations. Staff training sessions explain the use of remote desktops and clearly define what users are allowed to do. Administrators don’t want to discover, for example, that users have taken upon themselves to change configuration settings. Clear discussion upfront prevents later problems.
This training is a good time, too, to reinforce policies on passwords and necessary steps to keep them strong.
A particular threat is posed in a bring-your-own-device environment. It’s not uncommon for BYOD users to install remote-access software on their machines at home to work with their sister-in-law on family business and then forget to remove the software when they’re done. When these users connect into their business network, the sister-in-law may have access to business data — and may not respect its privacy.
It's important, too, to consider the recording of remote-access sessions. Whilst it can be extremely useful for training or audit purposes, it should be configurable and the recorded session data only available locally and not in the vendor’s services as session recordings are prone to leaks and potentially sensitive data may be vulnerable.
A secure remote desktop connection also requires regular software audits, the same sorts of audits that good IT administrators are conducting already. No one wants random software installations floating around the network, and no one wants to be in a situation where they don’t know what’s happening in their system. In the unlikely instance of a breach, administrators need to know who is connected to a machine, where they connected from and what permissions they exercised. Regular audits remove unpleasant surprises.
Require independent validation
Any provider of remote desktop connections will claim that the product provides rock-solid security. Terms like “bank grade security” or “military grade security” are overused. IT administrators, however, should insist on independent validation of security claims. The gold standard for validation is white-box testing by an external security company that digs into every line of code, reviews internal documents and interviews members of the development team.
Administrators should require full transparency from remote desktop companies, and they should extend this requirement to any software updates or patches in the future.
This isn’t extreme. For all the great value that remote-access solutions provide to organizations of all types, they also carry substantial security risks. Wise IT administrators will exercise constant care to ensure their remote desktop remains highly secure, and they’ll demand the same from their vendors.
Snapping the remote desktop security lock tight is everyone’s business. It’s too important for any but the greatest vigilance.
