Organizations are supporting increasingly distributed and complicated PC environments, and are showing a renewed interest in remote control tools mainly to support users that are inaccessible with in-place products. PC-based personal remote control tools allow IT support staff to remotely view or take over an end user’s machine to help resolve simple or mundane problems quickly and directly as the user sees them.
However, these tools can expose the organization to a variety of new security threats, as well as exacerbate the impact of other malware attacks, making an insecure tool worse than no tool at all. IT organizations must ensure that their products have appropriate embedded security features. They should also ensure that they implement the proper controls to mitigate risk.
Common Risks Associated with Remote Desktop Access
Unauthorized Remote Control Sessions
Client/server remote control tools require a management console to be installed in the customer’s LAN, and an agent, which runs as a service, to be installed on all managed PCs. Communication takes place within the organization’s network. Remote control tools embedded in PC life cycle management or service desk suites are typically client/server. Users may initiate remote control sessions with their IT support desk, the service desk may run unattended remote control sessions to perform various maintenance and support tasks. Because the agent is constantly running as a service, the possibility exists for an unauthorized party to initiate a remote control session.
You should look for capabilities in the product that allow you to enable “access by invitation only,” whereby remote control sessions can be initiated only by the end users. If you want support personnel to be able to offer help, then you should be able to configure the tool to require the end user to accept the connection. If you need support analysts to perform unattended remote support sessions, then make mutual authentication mandatory for access.
Non-Compliant Actions
Knowledge and complete visibility are necessary for any organization to ensure compliance in the workplace. One vital policy for safeguarding a company in the presence of remote activity is remote-session recording. Recording remote activity can help organizations in their efforts to ensure compliant actions and stay up-to-speed with regulations such as PCI-DSS, HIPPA, and GLBA compliance.
Services like Cloud Management Suite offer the ability to record all remote control activity, which adds a layer of visibility and heightened security. Anytime a remote-control session is initiated – even by an unauthorized party – that session will be recorded from the moment a connection is established. The recording won’t end until the session is closed by either party. Once a session is recorded, an administrator can review the session at any time to observe every activity and ensure that security standards have been met.
Out-of-Date Remote Control Policies
Legacy tools used for remote desktop access fail to support complex scalable environments, and organizations must find new ways to provide support services to users. Traditional LAN-based remote access tools require supportable PCs to run the remote control agent, and are attached to the corporate LAN. Business units and external service providers are increasingly supporting nonstandard users without standard or manageable corporate desktop configurations and without being directly connected to the LAN.
Unauthorized Session Logging
If host computers have recording malware, such as local keyloggers and screen grabbers, then hackers will be able to see remote control sessions. For example, in 2003, an attacker installed a keylogging application on computers at a Kinko’s location. With this application, the attacker recorded a user accessing his home desktop via GoToMyPC. The attacker recorded the user’s login credentials and was able to access the user’s home desktop, and stole various personal information.
This is a plausible scenario in a corporate setting as well, if users install personal remote control tools on their work desktops. There are a number of tools that assist in logging access, monitoring and detecting intrusions, and also triggering the necessary safety protocols.
Unauthorized External Control
Users can allow a malicious third party to control their machines by willingly giving them access through remote control. This scenario could present itself if users require external remote control support for an application they installed on their work system. In most cases, the user and the third party are with good intentions, but employees must be aware of this potential social engineering attack.
User-Managed Remote Control
Remote control tools for personal use can bypass the corporate firewall, and the company may be completely unaware of their use. These tools use encryption to protect themselves, and use outbound polling techniques similar to the methods used by hackers.
Appliance Platforms- Black Box Exposure
Appliance products are somewhat of a hybrid of client/server and Web-based remote control tools. The management server is an appliance (physical or virtual), which is an Internet-facing device that is installed on the customer’s premise. Most organizations place the appliance in the demilitarized zone (DMZ) to provide remote control services to external PCs without having to enable port forwarding, and data is kept on the customer’s premise. Appliances have their own embedded operating systems, and operate as “black boxes” on the network. Enterprises may have administrative control over appliances, but will be exposed to vulnerabilities that occur within any appliance’s internal systems.
PC Port Exposure
Web-based tools may set up situations that expose sensitive logical ports in PCs behind the enterprise firewall to surveillance and access from the Internet. You run the risk that anyone outside the company firewall can enter, if they have obtained the user’s credentials. This is a natural side effect, particularly in the case of remote control agents that advertise themselves for connection in a public directory outside the company firewall.
The bottom line is that organizations require consistent processes and policies to request, provision, deprovision and audit the access for third-party identities — including, but not exclusive to, those with remote privileged access. Organizations must define a process to inform and trigger onboarding and offboarding activities, and determine the maximum scope of allowable access.