You’re an IT supporter and you’re using remote desktop software to offer remote support to your customers. Use the below checklist to see how secure is the remote desktop tool you use. Is it secure like a fort or should you suggest a security measures update?
What does it take to make a remote desktop secure?
We have pulled together a short list of security measures and features a remote desktop provider should use to guarantee a high level of security. It is not a full list of security precautions, yet we want to give you an insight into some of the most important measures and features secure remote desktop software should have to comply with strict security standards.
1.Encryption and authentication
Usually, remote desktop traffic is secured using RSA public/private key exchange and AES (256-bit) session encryption. It is recommended to use RSA 2048-bit keys or even 4096-bit keys.
AES 256-bit End-to-End encryption is essential in order to protect the data traveling between the operator (help desk techie) and the client (end-user), which cannot be decrypted by a man-in-the-middle.
2.Two-Factor Authentication (2FA)
We recommend you to choose software that allows two-factor authentication (2FA). With 2FA enabled, you and your operators have to log in to the system through a two-step verification process by providing something you know (password) and something you have (2FA token). This second factor makes your account more secure and makes unauthorised access much harder.
3.ISO/IEC 27001:2013 Certification (Information Security Management)
Check if your remote desktop provider holds the ISO 27001 certification. This is an internationally accepted and one of the most widely recognised information security standards. It specifies the requirements for a comprehensive Information Security Management System (ISMS), and it defines how organisations manage and handle information securely. It is only awarded to organisations that follow stringent security practices, after a rigorous audit process.
Good remote desktop software uses such firewall configurations that enable friendly exchange between the server and the clients without altering the ports or proxy configurations.
However, if you’re coming from a larger organization, you might have a certain policy about the configuration of your firewalls or proxies. Your remote desktop provider should be flexible enough to try different approaches to find working transport (detecting proxy settings, using WinINet, creating a tunnel, making use of the wildcard DNS etc.).
5.Blacklisting / Whitelisting
Remote desktop software is a very powerful tool which enables you to control remote computers. To prevent any misuse of remote desktop software in your company, the possibility of creating white- and blacklists is indispensable.
For security reasons, you might want to restrict the use of the remote desktop software within your organisation. Check if you are able to limit the data access to remote desktop servers based on the IP and/or MAC addresses.
Code signing is widely used to protect software that is distributed over the Internet. Code signing doesn’t make any changes in the software, it appends a digital signature to the executable code. This digital signature assures recipients that the remote desktop software does indeed come from the source you trust. It provides enough information to authenticate the signer as well as to ensure that the code has not been subsequently modified.
Your remote desktop application should be digitally signed by means of a Code Signing certificate, which reliably identifies the software publisher and guarantees that the code has not been altered or corrupted since it was signed with a digital signature.
7.External Security Audits and Penetration Testing
Regular systematic security audits and narrowly focused penetration tests are crucial for each remote desktop software provider responsible for information security. They allow a company to remedy in time potential weaknesses and vulnerabilities identified.
It is good to know whether your remote desktop provider conducts independent security audits and penetration tests on a regular basis. This serves as a guarantee that your provider offers a trustworthy service providing a high level of security.
8.Function Transparency (No Stealth Mode)
It is important that a remote desktop application is designed in such a way that it can never run in the background without a client being aware of it. The functionality of the software should be totally transparent and the client should be able to follow the actions performed by the helpdesk operator all the time.
Some remote desktop providers require a remote access client on the user’s machine before you can deliver the support they need. If this remote access client remains on their computer after you’re done, it means you’ve left behind a vulnerability that could later be exploited.
If you are a small company, the answer to why use external authentication may not be apparent immediately, but if you are a big company, then you probably know that introducing a new system can be quite challenging and may bring a lot of work related to user management.
Whether you’re currently using an external authentication method or not, we recommend you choose a remote desktop provider which can integrate with the most popular external service providers, such as LDAP, RADIUS, Active Directory and SAML.
The security of your data depends not only on the strength of the encryption method but also on the strength of your password, including factors such as length and composition of the password, and the measures you take to ensure that your password is not disclosed to any third party.
Consider following the latest NIST specifications; the password must be at least 8 characters long; any leading and trailing spaces will be removed; allowed characters used in the password are any printable ASCII characters and spaces; the password is checked against the blacklist, which consists of the most common and simple passwords.
Check if and how your remote desktop provider stores passwords.
11.Brute Force Intrusion Protection
A brute force attack consists of a large number of repeated attempts at guessing your username and password to gain access to your remote desktop user account. To prevent unauthorised access, brute force protection should be applied to remote desktop software by limiting the maximum number of failed login attempts for a user or for a specific address in the defined period of time.
12.Intranet (LAN-only) Option
If you plan to use remote desktop software for your internal support only – to support your employees across different geographical locations, make sure to choose a provider which allows establishing remote desktop sessions within a local area network (LAN).
In such case, there is no need for a public IP address. You only need a private address in the range of private networks (as specified in RFC 1918).
13.Reverse Proxy Support
A reverse proxy can hide the topology and characteristics of your back-end servers by removing the need for direct Internet access to them. You can place your reverse proxy in an Internet-facing DMZ, but hide your web servers inside a non-public subnet. It diminishes the risks of unauthorised access to sensitive data.
Does your remote desktop software allow you to install the server behind a reverse proxy, without exposing it directly to the internet, terminating SSL on the reverse proxy?
14.Automatic Session Recording Option
Remote desktop software should not merely protect data transmission, but should also protect you as the remote desktop support provider and the client as its receiver. The best way to achieve this is session recording. This is particularly true for those companies that have trusted a third-party servicing company with computer maintenance by granting non-limited remote access to their computers. Consider this when deciding on your next remote desktop software.
If there is only one person using remote desktop software in a company, setting up access permission is not something you would be worried about, however, this feature becomes very important from the security point of view once there are numerous users using the software to connect to remote computers.
As a remote desktop account admin, you should be able to assign users different rights and limitations, set a maximum number of concurrent sessions, disable rights to use audio, video, remote printing, file transfer, and desktop sharing.
16.Incident Management System (IMS)
Remote desktop software providers should have an incident management system (IMS) which guarantees a rapid restoration of normal service operation after an unplanned interruption.
Don’t hesitate to ask your remote desktop provider how they handle incidents. Because when you deal with tens, hundreds, or thousands of remote desktop users unexpected things can and will happen.
17.Logs and Accountability
To comply with regulations in most industries, remote desktop software should permit users to keep logs of remote support activity and grant clear accountability.
Does your remote desktop software allow you to identify unique users, show which systems were connected, and, with an active session recording, trace what actions were taken over the remote connection? Such records can dive into each individual session, exposing the information about an operator, a client, IP addresses etc. which will make you feel more at peace and will help you solve possible misunderstandings or disputes.
18.Restriction on Features
You would probably agree that remote desktop software is a universal tool, used virtually in all industries. Accordingly, there are countless different use cases, which call for very flexible solutions that allow restriction on features to adhere to distinct security standards.
Rich customisation options, especially when it comes to the possibility of tweaking the security settings to your needs in order to ensure regulatory compliance of your company, can be an important competitive differentiator.
To learn more about remote desktop security visit ISL Online Security Page.