18 security measures remote desktop software should provide

Security is the key criterion on a checklist for anyone looking for remote desktop software. Before you start using a new remote desktop tool, introducing it to your company and clients, you want to make sure that it’s secure like a fort.

Secure Remote Desktop Software

Security is the number one criterion when deciding on remote desktop software.

At ISL Online we’re obsessed with keeping your data safe and secure! We understand that information security is of utmost importance to you when it comes to establishing remote desktop connections.

While continuously developing and improving our remote desktop software, we apply a number of measures and features which make ISL Online secure and help us comply with strict security standards our clients expect. Our information security management systems are based on the globally recognised ISO/IEC 27001:2013 standard, which shows our general commitment to information security.

What does it take to make a remote desktop secure?
We have pulled together a short list of security measures and features that ISL Online uses to guarantee a high level of security. It is not a full list of security precautions we apply to our software, yet we want to give you an insight into some of the most important measures and features secure remote desktop software should have.  For a more detailed overview please read our security statement.

1. RSA with Diffie-Hellman Key Exchange
To establish a remote desktop support connection with a client, the helpdesk operator needs to start the ISL Light application, which carries an RSA 1024 Bit Public Key of the ISL Online server. The initial connection is established when the Public Key of the ISL Light application and the Private Key of the ISL Online server are veri­fied and exchanged.  Upon a successful RSA key exchange, the Diffie- Hellman cryptographic algorithm is used to exchange symmetrical AES 256 Bit keys.

We are rolling out the RSA 2048 Bit keys to our public cloud. They will gradually replace the 1024 Bit keys. However, our Server License users that keep their ISL Online servers up to date can already start using 2048 Bit keys. They are even able to configure their ISL Online servers to use 4096 Bit crypto keys.

2. AES 256-Bit End-to-End Encryption
Once the remote desktop session is established between the operator (help desk technician) and the client (end-user) all data traffic is encrypted using symmetrical AES 256 Bit keys. A secure SSL end-to-end tunnel is established between the operator and the client. This means that even the ISL Online servers cannot decrypt the content of the sessions but only transfer packets from one side to another.

ISL Online security System

ISL Online applies numerous measures to guarantee highly secure remote desktop experience.

3. Two-Factor Authentication (2FA)
Two-factor authentication (2FA) is an extra layer of security for helpdesk technicians and IT professionals. With 2FA enabled, operators can only log in to the ISL Online system by going through a two-step verification process by providing something they know (password) and something they have (2FA token). This second factor makes your account more secure and makes unauthorised access much harder.

We recommend using two-factor authentication, especially on highly sensitive systems. ISL Online allows you to configure different methods for the second step of verification. Read how to set up two-factor authentication in one of our previous posts.

4. ISO/IEC 27001:2013 Certification (Information Security Management)
The ISO 27001:2013 is internationally accepted and one of the most widely recognised information security standards. This certificate specifies the requirements for a comprehensive Information Security Management System (ISMS), and it defines how organisations manage and handle information securely. It is only awarded to organisations that follow stringent security practices, after a rigorous audit process.

The ISO/IEC 27001:2013 certificate validates ISL Online’s expertise in information security management and our commitment to the highest level of security throughout the company. It is further proof that the data is well-protected and secure with ISL Online.

ISO/IEC 27001:2013 Certification

 

 

 

 

5. Port Filtering
Good remote desktop software works without making any firewall adjustments.

With ISL Online your firewall can remain intact as ISL Light automatically initiates an outgoing connection, trying to connect using ports 7615, 80 and 443.

However, larger organisations normally have a certain policy about the configuration of their firewalls or proxies. System administrators might want to open port 7615 only to pass the ISL Online traffic through directly and keep filtering the rest. They can also configure DNS name exception or IP number exception.

Regardless of the network configuration ISL Online apps will automatically try different approaches to find working transport (detecting proxy settings, using WinINet, creating a tunnel, making use of the wildcard DNS etc.).

6. Blacklisting / Whitelisting
Remote desktop software is a very powerful tool which enables you to control remote computers. To prevent any misuse of remote desktop software in your company, the possibility of creating white- and blacklists is indispensable.

For security reasons you might want to restrict the use of ISL Online software within your organisation. You are able to limit the data access to ISL Online servers based on the IP and/or MAC addresses. Use the “allow” function to specify the whitelist of IP/MAC addresses which are allowed to start a remote support session or access an unattended computer. On the other hand, use the “deny” function to specify the blacklist of IP/MAC addresses. These rules can be defined for a specific user or the entire domain on the ISL Online server.

For example, you can allow your employees to generate session codes for a remote support session from the office only (your company’s range of IP addresses).

7. Code Signing
Code signing is widely used to protect software that is distributed over the Internet. Code signing doesn’t make any changes in the software, it appends a digital signature to the executable code. This digital signature assures recipients that the remote desktop software does indeed come from the source you trust. It provides enough information to authenticate the signer as well as to ensure that the code has not been subsequently modified.

ISL Online applications are digitally signed by means of a Code Signing certi­ficate, which reliably identifies ISL Online as the software publisher and guarantees that the code has not been altered or corrupted since it was signed with a digital signature.

8. External Security Audits and Penetration Testing
Regular systematic security audits and narrowly focused penetration tests are crucial for each remote desktop software provider responsible for information security. They allow a company to remedy in time potential weaknesses and vulnerabilities identified.

Independent security audits and penetration tests of the ISL Online system conducted on a regular basis reveal that ISL Online is a trustworthy service providing a very high level of security.

External audits and penetration tests

 

 

 

 

 

9. Function Transparency (No Stealth Mode)
It is important that a remote desktop application is designed in such a way that it can never run in the background without a client being aware of it. The functionality of the software should be totally transparent and the client should be able to follow the actions performed by the helpdesk operator all the time.

ISL Online is designed to provide remote support to clients over the Internet but only upon the client’s explicit request. The client allows an operator to start desktop sharing and can terminate the session anytime. When the operator has full remote desktop control over the client’s computer, the client can easily take control by simply moving the mouse. Once the session is terminated, the helpdesk operator cannot access the client’s computer again with the same session code.

10. Password Encryption
The security of your data depends not only on the strength of the encryption method but also on the strength of your password, including factors such as length and composition of the password, and the measures you take to ensure that your password is not disclosed to any third party.

ISL Online password security policy is based upon the latest NIST specifications; the password must be at least 8 characters long; any leading and trailing spaces will be removed; allowed characters used in the password are any printable ASCII characters and spaces; the password is checked against the blacklist, which consists of the most common and simple passwords.

ISL Online does not store passwords in plaintext, but uses salted password hashing to protect passwords stored in user account databases.

11. Brute Force Intrusion Protection
To prevent unauthorised access, brute force protection should be applied to remote desktop software.

Brute-force attack is a trial-and-error method which calculates every possible combination that could make up a password or decrypt an encrypted file. In a brute force attack, automated software is used to generate a large number of consecutive guesses until the correct one is found.

ISL Online has configured rate limiting for login and connection attempts in order to prevent brute force attacks. ISL Online servers prevent brute force intrusion (login) attempts by limiting the maximum number of failed login attempts for a user or for a specific address in the defined period of time. A login can also be limited only in a specific time frame.

12. Intranet (LAN-only) Option
Some large organisations use ISL Online for their internal support only – to help their employees work across different geographical locations. In such cases remote desktop software must allow establishing remote desktop sessions within a local area network (LAN) only.

If you plan to use ISL Online within your LAN (intranet) only, there is no need for a public IP address. You only need a private address in the range of private networks (as specified in RFC 1918).

13. Reverse Proxy Support
A reverse proxy can hide the topology and characteristics of your back-end servers by removing the need for direct Internet access to them. You can place your reverse proxy in an Internet facing DMZ, but hide your web servers inside a non-public subnet. It diminishes the risks of unauthorised access to sensitive data.

ISL Online allows you to install the server behind a reverse proxy, without exposing it directly to the internet, terminating SSL on the reverse proxy. If you plan to position the server behind an existing enterprise network security device, please refer to the Reverse Proxy Manual.

14. Automatic Session Recording Option
Remote desktop software should not merely protect data transmission, but should also protect you as the remote desktop support provider and the client as its receiver. The best way to achieve this is session recording. This is particularly true for those companies that have trusted a third-party servicing company with computer maintenance by granting non-limited remote access to their computers.

ISL Online offers a powerful option to start recording automatically at the beginning of every remote access session in order to have full control over the remote access activity and prevent possible conflicts with clients. How to automatize session recording

15. Access Management
If there is only one person using remote desktop software in a company, setting up access permission is not something you would be worried about, however, this feature becomes very important from the security point of view once there are numerous users using the software to connect to remote computers.

With ISL Online, the account admin can assign its domain users different rights and limitations, including allowing or disabling access to specific computers. For each individual user you can also set a maximum number of concurrent sessions, disable rights to use audio, video, remote printing, file transfer, and desktop sharing.

16. Incident Management System (IMS)
Remote desktop software providers should have an incident management system (IMS) which guarantees a rapid restoration of normal service operation after an unplanned interruption.

ISL Online uses our own IMS, a set of procedures, developed by ISL Online, to mitigate the reported incidents. Whenever an incident is reported, it is managed in our ticketing system.

Each incident normally includes the following elements:

  • Timeline UTC (a log of events in the chronological order in UTC time zone)
  • Executive summary (a brief description of the incident)
  • Root cause (an explanation of the root cause of the incident)
  • Resolution and recovery (a description of the incident mitigation process)
  • Corrective and preventative measures (an explanation of the actions taken to prevent such incidents in the future)
  • Other relevant information

IMS helps us maintain continuous service levels, measure the IT service availability, document the undesired events and protect their reoccurrence.

17. Logs and Accountability
To comply with regulations in most industries, remote desktop software should permit users to keep logs of a remote support activity and grant clear accountability.

ISL Online allows IT administrators to identify unique users, show which systems were connected, and, with an active session recording, trace what actions were taken over the remote connection. Such records can dive into each individual session, exposing the information about an operator, a client, IP addresses etc.

18. Restriction on Features
You would probably agree that remote desktop software is a universal tool, used virtually in all industries. Accordingly, there are countless different use cases, which call for very flexible solutions that allow restriction on features to adhere to distinct security standards.

ISL Online allows you to restrict features that are available within a session; taking control of the remote computer, transferring files from the customer or to the customer and similar. Let me give you an example where restricting a feature is essential: a bank employee should be able to see his/her client’s computer screen, but should never be able to start sharing his/her desktop. In this case desktop sharing on the desk side can be disabled.

This entry was posted in security and tagged , , , , , . Bookmark the permalink.

2 Responses to 18 security measures remote desktop software should provide

  1. Daniel says:

    Learned some new stuff with very detailed information. Thanks a lot for sharing this amazing article!

  2. Thanks for the information, very good!. I learn a lot reading this post…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s