A farmer went to the hardware store in a nearby town and bought the best and most expensive padlock to secure his barn.
He took it home, removed the packaging, fixed the lock and then left the key there. It seemed too complicated to have to remember where the key was every time he wanted to enter the barn.
Are we surprised that he discovered that his horses and tractor were missing the next morning? The same goes for remote desktop security.
Developers continue to improve existing strong security measures and leading remote access companies recognize the importance of white box audits that examine every line of code to defend against intrusions.
However, even the most secure remote desktop solutions are greatly enhanced by the adoption of best practices by IT administrators and the people they serve. They are the ones who close the padlock well.
Here are five critical steps that IT pros and users should take to establish optimal remote desktop security.
Verify end-to-end encryption
Encrypted connections are the basis for ensuring a secure remote desktop connection. It’s so obvious that IT pros may assume the encryption is in place or simply ignore the need to ask their dial-up provider. Most vendors rely on industry standard protocols to secure the application or service. But beyond that, ask for more details. Is the encryption really end to end? Who holds the encryption keys? What data is encrypted? Is data encrypted only while in transit? What about data at rest? Can sessions be replayed offline by a man-in-the-middle capturing encrypted session data? In the end, is remote desktop secure?
Assume that each connection is established in a hostile environment. Paranoid? Maybe, but it’s a good assumption to make sure the encryption is complete.
Configure secure authentication
While many IT administrators instinctively gravitate towards developing a new layer of authentication for a secure remote desktop, simplicity often offers a better approach.
Simplicity translates into using policies and authentication local to the machine being accessed – or leveraging an organization’s existing single sign-on infrastructure. This prevents users from learning – and then forgetting or disclosing – additional passwords. IT teams, on the other hand, don’t need to learn a different process for managing remote access functions. Additionally, using mature single sign-on solutions such as Microsoft AzureAD, additional checks can be placed on user sessions – requiring re-authentication after a period of time, requiring additional authentication checks when logging in from new devices/locations or blocking connections from specific countries or regions altogether.
Multi-factor authentication – a combination of something youto know (your password), something you have (mobile phone in hand or a certificate) or something you are (the fingerprint that is scanned) can significantly increase remote desktop security. Adding push notifications to login, on the other hand, alerts a user each time a login is attempted and, when paired with an accept/decline prompt, an additional level of verification and potentially a Immediate alert of anything untoward in the unlikely event a hack is reached.
Consider cloud brokered connections
While remote desktop security is certainly invaluable in many use cases, it’s important to remember that these solutions – like any software – can present significant security issues when exposed to the Public internet.
Essentially, these apps require system administrators to open ports in firewalls to allow access. In addition, it creates a fingerprint on the Internet. An intruder need only turn to run a basic port scan or use a specialized search engine to discover which networks are exposing ports.
Remote desktop security solutions that rely on brokered connections in the cloud, on the other hand, are undetectable. Would-be intruders are much less likely to bring a sledgehammer to the door of a house they can’t see. And the value of firewalls that remain intact is obvious.
Apply strong policies
Yes, policy discussion is boring and policy enforcement is very boring. Yet for all the annoyance and annoyance they bring, strong and well-enforced policies are among the important building blocks of a secure remote desktop.
Much of this is standard practice in most organizations. Staff training sessions explain the use of remote desktops and clearly define what users are allowed to do. Administrators don’t want to find out, for example, that users have taken it upon themselves to change configuration settings. A clear discussion from the start avoids problems later.
This training is also a good time to reinforce password policies and the steps needed to keep them strong.
A particular threat is posed in a bring your own device environment. It’s not uncommon for BYOD users to install remote access software on their machines at home to work with their sister-in-law on family matters, then forget to remove the software when they’re done. When these users connect to their corporate network, the sister-in-law may have access to corporate data — and may not respect her privacy.
It is also important to consider the recording of remote access sessions. Although it can be extremely useful for training or auditing purposes, it must be configurable and the recorded session data is only available locally and not in the provider’s services, as session recordings are prone to leaks and potentially sensitive data may be vulnerable.
A secure remote desktop connection also requires regular software audits, the same types of audits that good IT admins already perform. Nobody wants random software installations floating around the network, and nobody wants to be in a situation where they don’t know what’s going on in their system. In the unlikely event of a breach, administrators need to know who is logged into a machine, where they logged in from, and what permissions they have exercised. Regular audits eliminate unpleasant surprises.
Require independent validation
Any remote desktop connection provider will claim that the product offers ironclad security. Terms such as “bank-grade security” or “military-grade security” are overused. IT administrators, however, should insist on independent validation of security claims. The gold standard for validation is white-box testing by an external security firm that digs into every line of code, reviews internal documents, and interviews members of the development team.
Administrators should demand full transparency from remote desktop companies, and they should extend this requirement to any software updates or patches in the future.
It’s not extreme. Despite the great value that remote access solutions offer organizations of all types, they also come with significant security risks. Wise IT administrators will constantly ensure that their remote desktop remains highly secure, and they will demand the same from their vendors.
Engaging the remote desktop security lock is everyone’s business. It is too important for anything but the utmost vigilance.