Announcement

Collapse
No announcement yet.

Remote Access Benefits???

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remote Access Benefits???

    Hi there guys,

    I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.

    My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?

    We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.

    Cheers in advance Guys

  • #2
    Originally posted by FunkyChicken
    Hi there guys,

    I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.

    My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?

    We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.

    Cheers in advance Guys
    You can configure the properties of the terminal server’s RDP-TCP connection to provide better protection. There are 4 areas to do this:

    Restrict the number of client sessions that can remain active on the server (making it easier to keep track of who is connected)

    Set session time limits (helping to ensure that sessions are not left unattended and active for long periods)

    Configure encryption levels You're using Remote Desktop Protocol with RC4 encryption

    Set permissions for users and groups on the terminal server
    "640k ought to be enough for anybody" - Bill Gates 1981

    Comment


    • #3
      There are other problems that arise when people telecommute:
      Who is responsible for ensuring workstations are "ergonomically configured" so to mitigate risk to kinds of work injuries?

      When working from home, who is responsible for injuries sustained while "on the job" ? If injured, will workman's comp apply?

      Other than the above, other security problems apply too, and many are comparable to taking a company laptop out on the road and then bringing it back behind the "protection" of the firewall/filters incuding mail-based malware scanners.

      If you have a lot of physical security at work, that is designed to protect data or resources (like a bank, or the military, or a business with trade secrets, or other similar cases) then, does knowledge that your home computer can bypass the firewall for remote access make your home "the weakest link" for some skilled computer criminal? (Key logger -> access to your network without having to break your work's phyical security.)

      Comment


      • #4
        I think you should be careful that your home machine doesn't carry trojans or send spyware or worms into the corporate network. Thats the next biggest concern I think, besides the obvious job of locking down the RDP server.

        Comment


        • #5
          If a VPN is available, the Terminal Service need not be visible to the outside world. All traffic on the public network will be strongly encrypted, but, depending on configuration, you might be placing your home computer inside the firewall.

          You could use TLS (the same technology we use for securing web sites). The system might still be a target, but information leakage would be less of a concern.

          Does the server already offer a service that allows tunneling (I'm thinking SSH here)?

          As simple as it sounds, changing the port number is likely to deflect 80% of the attention the server might otherwise have drawn.

          As for the presence of Terminal Services itself, has the lack of such a service prevented remote attacks against Microsoft Windows in the past?

          Comment


          • #6
            Originally posted by Voltage Spike
            If a VPN is available, the Terminal Service need not be visible to the outside world. All traffic on the public network will be strongly encrypted, but, depending on configuration, you might be placing your home computer inside the firewall.
            What Voltage Spike said.

            As for the presence of Terminal Services itself, has the lack of such a service prevented remote attacks against Microsoft Windows in the past?
            To be honest, I'm not aware of (nor have I ever had) an issue resulting from Terminal Services being Internet-facing, apart from the usual abuse-of-credentials problem you'd have with any remote access service in that context. Personally, though, I wouldn't do it - running it only on an interface behind the VPN is a good idea. Of course, if this box is also exposing IIS (or other routinely-molested Windows services) to teh intarweb, it should be fully DMZ'd to begin with.

            Also, even if you're doing that, your Group Policy should limit who does and does not have access to it internally. Your domain admins are probably the only ones who need to be able to access Terminal Services on servers (helpdesk may need RDP for troubleshooting XP boxes); it might not be a bad idea to pull everyone else out of the 'Allow Terminal Services' object.

            Comment


            • #7
              Originally posted by FunkyChicken
              Hi there guys,

              I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.

              My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?

              We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.

              Cheers in advance Guys
              Based on previous experience, trying to convince your boss using technical arguments may not be the easiest way forward. It may be worth trying to agree a set of guidelines or a new policy that defines your remote access procedures.

              Things to consider include the security of your own PC, how secure your access method is, and what you can do once you have gained access. The hardest bit is the access method and you have already received some excellent advice on the forum. It is always worthwhile defining the security measures you take on the remote PC; FW / AV / IDS etc etc.

              I notice you mention the Data Protection Act; Your boss may have a different view of the value of the data on the server. Do you actually need to have access to the data, or just the server itself?

              Comment


              • #8
                thanks for all the excellent help guys.

                i dont actually need access to the data on the server but instead just need to be able to control the server from home, i.e. running certain programs on the server, or even just simply viewing the current print jobs, what other option are there?

                cheers guys

                Comment


                • #9
                  Originally posted by FunkyChicken
                  i dont actually need access to the data on the server but instead just need to be able to control the server from home, i.e. running certain programs on the server, or even just simply viewing the current print jobs, what other option are there?
                  use VNC... and connect to it through an SSL tunnel. WinSSL is pretty idiot-proof. you'll need to use OpenSSL to create a .pem certificate file for the server. if you need help shoot me a PM. you should be able to set it up pretty easily, tho.
                  Last edited by Deviant Ollam; March 2, 2006, 18:19.
                  "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
                  - Trent Reznor

                  Comment


                  • #10
                    Originally posted by Deviant Ollam
                    VNC, connect through an SSL tunnel.
                    Option 2: UltraVNC. Supports PSK encryption out of the box (well, with a little tweaking here and there).

                    Comment


                    • #11
                      Originally posted by Deviant Ollam
                      use VNC
                      While I'm all for using more open tools, what would be the advantage of VNC? Security-wise, capabilities, convenience? It would seem to me that RDP is faster, tunnels sound, and is running over the same SSL connection.

                      Comment


                      • #12
                        Originally posted by Voltage Spike
                        While I'm all for using more open tools, what would be the advantage of VNC? Security-wise, capabilities, convenience? It would seem to me that RDP is faster, tunnels sound, and is running over the same SSL connection.
                        From a capability perspective, with VNC you are connecting to the actual console of the running system, versus a 'virtual terminal' with Windows Remote Desktop/Terminal Server. Even though you can go into 'Install Mode' with RDP, it doesn't work the same as VNC. Installing software through an RDP session is not recommended unless the software is designed to be installed that way. The whole HKEY_CURRENT_USER registry hive is very sensitive to access method.

                        /me goes back to sleep
                        Aut disce aut discede

                        Comment


                        • #13
                          Originally posted by AlxRogan
                          with VNC you are connecting to the actual console of the running system
                          Isn't this the very point of the -console flag? Although I suppose the flag is useless unless you are running Microsoft Windows Server 2003 (before that the console wasn't available as a "feature" of the protocol).

                          Comment


                          • #14
                            Originally posted by Voltage Spike
                            Isn't this the very point of the -console flag? Although I suppose the flag is useless unless you are running Microsoft Windows Server 2003 (before that the console wasn't available as a "feature" of the protocol).
                            You're right, I haven't tried that with 2003 so I can't say with it. I've just been burned badly with 2000 Server, and most of the software I've messed with still tell you to install it locally. Ah..the majesty of KVM over IP. :)
                            Aut disce aut discede

                            Comment

                            Working...
                            X