6 Security Risks You Should Watch in Remote Desktop Connections

Posted on Posted in Business, Cybersecurity, Insights

The worldwide move to remote working has brought online security concerns to the fore when considering how to secure corporate information held on remote devices.

A significant concern is that carriers transfer data over an infrastructure beyond the control of the company.  Responsibility for online security, and ensuring that only authorised users have access to company data and systems is handed back to the company.

Another concern is the threat posed by “Bring Your Own Device”, or BYOD.  Because the device is under the control of the end-user, ICT may not be able to control the applications loaded on it and the retention of corporate data on it.  

One online security solution that is used is that of using a remote desktop connection (“RDP”) for IT to manage the remote device.   RDP is built into Microsoft servers and desktop operating systems and is also available on Apple and Open System platforms. RDP can provide the necessary control.

Even with that potential degree of control, there are areas of concern that need to be monitored.  Here are six:

  • The Connection

    Connection

    The increasing availability of WiFi in public spaces, malls, hotels, restaurants and the like, has made it possible for users to connect to corporate systems from anywhere, at any time.  And, for IT to come in the reverse direction to manage a user device.

    The very nature of the connection means that it is over an unknown and unmanageable path maintained by probably several different organisations.  The company may connect via a service provider, but after that they have no control.

    The connection must be an end-to-end secure VPN connection and encrypted.

  • Authentication

    Authentication

    Authentication is an absolute no-brainer.  The corporate systems will have authentication to the corporate network.  That in itself is not enough to prevent remote hacking.  If a hacker can gain access to the front door by being able to use the remote link, they then have access to other exploits that may allow them access to the corporate systems.

    A separate authentication regime for the VPN is needed.  User credentials can be compromised, so there must be a policy on password length and content, and passwords must regularly change.

    IT and possibly HR must manage the user lists and credentials.

  • Endpoints and The RDP Port

    Endpoints and The RDP Port

    IT needs to set out policies that define specify RDP implementation to ensure maximum security.  There are several key aspects that need to be included in these policies.  The first and most important is End-user Management.

    The first step is to limit the ability of users to manage the RDP environment.  To that end, move the default RDP Admin group and replace it with individual Admin users.

    The second step is to create an RDP user’s group and ensure that only members of this group can use RDP facilities.   What they can do and when they can do it is mandated for the group.   It is essential to limit the number of RDP users, and this is achieved by limiting the size of the

    group.

    A final step is to hide the RDP port.  Change it from the default and make it invisible to a port scan.

  • Remote Desktop Gateway

    Remote Desktop Gateway

    A gateway and VPN is useful in that it denies all remote user access to your systems.  Users must present credentials at a login screen and pass through a firewall to gain access.   IT and possibly, HR must manage the user lists and credentials.

  • Keep Software up-to-date

    Keep Software up to Date

    In Microsoft environment, the software is automatically updated.  If a central distribution environment includes remote devices, IT can be sure that anti-malware and systems components have the latest security fixes.

  • BYOD

    BYOD

    It is becoming increasingly common for remote users to use smart devices, phones and tablets as their primary devices over remote connections.  They are convenient, increasingly powerful and provide a mix of private and work applications in a portable format.

    The smart device can be supplied by the company or by the user as a BYOD.  They will require corporate data retained on the device for offline use. Also, the device will automatically retain other data, perhaps internal company contact details and downloaded documents.

    IT can specify the VPN client software to be used, and manage the authentication credentials for it, but that is often as far as they go. 

    If an employee leaves and takes their smart device with them, or disposes of their BYOD device, corporate data goes with it. That is a serious security concern.   The device could also be stolen or lost.

    The organisation must have a policy that allows IT to inspect remotely and if necessary scrub the device back to factory settings, erasing all apps and data other than those usually supplied with the device.

Leave a Reply

Your email address will not be published. Required fields are marked *