Basic guidelines for securing your remote desktop sessions

Security is extremely important when it comes to remote desktop software. To achieve the highest level of security for your remote desktop sessions, you need to ensure protection at multiple levels: the software itself, network, server, and client side. In this blog post, you will get an overview of these four main categories.

Software security is typically assessed through penetration testing. These tests consist of automated scans and manual reviews to reveal potential vulnerabilities that should be addressed and fixed immediately. It is important to realise that the security features implemented in the software are not enough if you do not take care of the security of the network, especially at each endpoint where the server and client are located. Protective measures should be strictly implemented on both sides.


Remote sessions consist of several elements, namely the server (handling the remote session), the operator (providing support at the help desk), the network and the client (receiving the support). All these elements should be effectively protected. Therefore, we can say that security consists of several levels of protection, which can be divided into four main categories:

  • Network security
  • Remote desktop software security
  • Server security
  • Client security

Some security features are implemented directly in the remote desktop software, while others should be properly configured on the server and client side of the remote desktop session. This configuration also ensures secure traffic between endpoints. The following figure gives you a better overview of the network architecture and shows different levels of security to protect traffic.

The remote desktop service you choose should provide AES 256-bit end-to-end encryption and other security measures at various levels.

Network security

Encryption

As you can see, traffic is protected at multiple levels. Encryption of traffic is of paramount importance to prevent traffic interception. To establish a remote desktop support connection with a client, the helpdesk operator must launch the application containing an RSA 2048/4096-bit public key from the application server. The initial connection is established based on the RSA key exchange. RSA key exchange involves sharing public keys derived from private keys at the time of generation. A successful RSA key exchange uses the Diffie-Hellman cryptographic algorithm to exchange the symmetric AES 256-bit keys. For example, ISL Online protects its remote desktop traffic using AES 256-bit end-to-end encryption. Symmetric encryption keys are negotiated using the Diffie-Hellman key exchange algorithm and protected with 2048/4096 bits RSA PKI. In Diffie-Hellman key exchange, a shared secret is created between two subjects. The secret can be used for encrypted communication intended for data exchange in a public network.

 
Session code

During the session, the helpdesk operator passes a unique session code to the client. The session code becomes invalid immediately after the connection is established, so it cannot be stolen or misused.


Two-factor authentication

User authentication is performed using two-factor authentication, which is an additional layer of security that adds a second factor to the authentication process and makes unauthorised access nearly impossible. This type of authentication should also be enabled on the client side of the connection.


Firewall friendly

It is important that remote desktop software does not interfere with the client’s firewall to ensure smooth operation while providing a high level of protection. ISL Online, for example, automatically initiates an outbound connection through ports 7615, 80 or 443, so it works with the existing firewall and requires no additional configuration on the client side of the session.


Software security features

ISL Online software has a variety of security features that are enhanced with each new release. Some of the features are already implemented in the software, others need to be configured on the server or client side – such as blacklisting/whitelisting. We have already mentioned different encryption types and two-factor authentication.

ISL Online is designed to never run in the background without a customer being aware of it. A customer can revoke control from a technician or terminate a support session at any time.

Here is the list of security features that secure remote desktop software should contain:

  • RSA with Diffie-Hellman key exchange
  • AES 256-bit end-to-end encryption
  • Two-factor authentication
  • Port filtering
  • Blacklisting/Whitelisting
  • Code signing (of executable files)
  • External security audits and penetration tests
  • Function transparency (no stealth mode)
  • Protection against brute force intrusions
  • Intranet (LAN-only) option
  • Reverse proxy support
  • Option for automatic session recording
  • Access management
  • Logs and accountability
  • Restriction of functions
  • External authentication
  • Data centers and metadata

Note
ISL Online offers different hosting options (Cloud license, Managed Private Cloud, Server license). Some of the security measures described in this article are only available for certain hosting options. Please contact us for details (support@islonline.com).

Security on the server side

Server security configuration depends on your license type – for example, Cloud license, Managed Private Cloud or Server license. Depending on your pricing plan and desired security level, the following features are available:

  • Port filtering
  • Blacklisting/Whitelisting
  • Intranet only setup
  • Support for reverse proxy
  • Support for automatic session recording
  • Integration with custom identity providers
  • Support for integration with custom log analysis software
Recording and archiving all your sessions can be an important additional security measure or a step towards better quality assurance.

Other deep customizations:

  • Restrict functions
  • Restrict allowed protocols
  • Enforce password policies
  • Enforce data retention policies

Security on the client side

To maintain and improve security, users must be proactive and always take the necessary security measures on their side of the network. Some policies that increase client protection include the following:

  • To be on the safe side the general recommendation would be to lock or prevent everything at first and then enable certain features only when needed and only to the people who need it.
  • Always use strong passwords
  • Never repeat passwords
  • Use a password manager
  • Use two-factor authentication whenever possible
  • Create two user accounts on your devices: admin and standard user
  • Always work as a standard user and only enter admin credentials when prompted to do so
  • Set your screen to lock automatically when inactive
  • Do not install software you do not need or do not know about
  • Do not open links that you do not know or that come from unknown sources
  • Separate the devices you use for work from those you use at home/privately
  • Never plug in USB drives, floppy disks or memory sticks of unknown origin
  • Physically protect your device – lock the room at home, lock the office, do not leave devices unattended
  • Always report when something happens – nobody wins if you hide something
Two-factor authentication (2FA) is an extra layer of security for helpdesk technicians and IT professionals and makes unauthorised access much harder. With 2FA enabled, an operator must provide a second factor (a one-time passcode) in addition to their password to login successfully.

Important

It is highly recommended that you increase security by disabling the Windows Clipboard History feature or any other software that keeps track of clipboard contents and saves them for later use, as this can potentially lead to security issues!

This was a brief overview of the network structure and related security features. We will go into more detail about the individual network components in the upcoming blog posts. So, stay safe and wait for our next topic.

Words by Sabina Bakula

This entry was posted in security and tagged , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s