HKCert
HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

HKCERT logo Hong Kong Computer Emergency Response Team Coordination Centre

Security Blog

Assessing the Security of Remote Access Services Guideline

Release Date: 20 / 02 / 2020
Last Update: 21 / 02 / 2020

Remote access services enable workers of a company to access corporate IT services and their work files anytime, anywhere. When opting to use remote access services, a company must consider the security strength and weakness of different solutions, besides their user-friendliness and cost. Otherwise, its data assets will be at risk. This guideline aims to give companies some useful tips in identifying a remote access service sufficient enough to fulfil both their operating and security needs.

 

Remote Desktop Control

Remote Desktop Control is the opening of a corporate PC in internal network to the Internet, allowing the remote users to take control of it from almost anywhere. Its attraction is low cost, convenience and easy-to-use.

 

The security downside of this solution is that it bypasses the firewall control by opening a fixed outgoing connection to the server of the service provider, which will establish a reverse connection of the remote user through the server. This technology does not possess strict security controls, logging and audit functions as required by enterprises. The user must fully trust the service provider's security and presume any security compromise will have minimal impact. There are some use cases for this technology. For example, a user with only one computer in the office may prepare to take the risk as the security compromise will just affect his own computer. Another use case is a user opening his remote desktop control to IT support personnel and accompanying them in the whole session.

 

There are various remote desktop control products in the market. A company should choose a software that supports two-factor or multi-factor authentication and set a strong password. It must also keep the remote desktop control software up to date and turn off the remote desktop control software on the controlled PC when not in use to reduce the security risk.

 

Virtual Private Network (VPN)

VPN is a technology for users to securely access corporate network services through public network as if their computing devices are directly connected to the private network. This technology gives users secure access to corporate network resource such as central storage and printer. But the processing is still done on client machine.

 

VPN requires a company to have a firewall or VPN appliance that support SSL VPN or IPSec VPN. Users also need to install the VPN client application or setup VPN configuration supported by their device. This may require assistance from the IT support team. If the company already has that kind of firewall, then VPN is generally a cost-effective solution.

 

From security perspective, the end user’s device behaves as if it is located inside the corporate network, so runs the risk of malware attack. Therefore, end user’s device must be installed with endpoint security software. Also, the VPN client should use two-factor authentication or certificate to sign in.

 

Virtual Desktop infrastructure (VDI)

VDI is the technology for providing and managing virtual desktops. VDI hosts desktop environments on a centralized server and deploys them to end clients on request. These virtualized desktops are created by a virtual machine controlled by a hypervisor. All computing activity on the virtual desktop occurs on the centralized server. The cost for VDI is expensive since VDI requires an extra layer of software to host a VDI system.

 

With VDI solution, end users access their full desktops via a client or web browser via SSL and the devices they are using never actually touches desktop, so the security risk is mitigated. While many VDI solutions offer features such as antivirus and malware protection for the desktop, those security elements are not necessary on the end user’s device.

 

To further enhance security, users can apply two-factor authentication in VDI solution to avoid password bruteforce attack. Also, IT administrator should control the access of critical systems in the corporate intranet via the VDI.

 

 

Solution Type

Remote Desktop Control

Virtual Private Network (VPN)

Virtual Desktop Infrastructure (VDI)

How It Works

  • User just needs to download the remote desktop control software and install it in the corporate machine.
  • The software is executed on the corporate machine to connect to the cloud service and obtain a unique ID.
  • Password will be randomly generated, OR user can set their own password.
  • Same software to be installed in the user’s device which will remote control the corporate machine.
  • Then user can remote control the corporate machine by entering the unique ID and password.
  • 2 types of VPNs: (i) IPSec VPN (ii) SSL VPN
  • IPSec VPN:
    • Usually VPN client is installed in user’s machine.
    • The machine will virtually be connected inside the corporate network. Technically, it can access all the corporate network resources.
  • SSL VPN:
    • Web-based so no need to install client software
    • Provide limited services only (e.g. web application, remote desktop, other 3rd party terminal services, etc.)
  • VDI is the technology for providing and managing virtual desktops.
  • VDI hosts desktop environments on a centralized server and deploys them to end users on request.
  • These virtualized desktops are created by a virtual machine (VM) controlled by a hypervisor.
  • All computing activity on the virtual desktop occurs on the centralized server.
  • End users access their full desktops via a client or web browser via SSL and the device they are using never actually touches desktop.

Cost

Low

Moderate
[Most of the existing security appliance (e.g. next generation firewall) comes with VPN functionality. Some may require additional license to enable this function.]

High

Preparation Time

Less

Moderate

More

Pro

  • Usually FREE which comes with basic remote control functionality. (Additional function will be charged separately)  
  • Easy to set up
  • Good user experience as if sitting in front of the corporate machine
  • IT administrator has better control on the authentication mechanism (e.g. password strength, 2FA/MFA) and visibility on the network access / activities.
  • IT administrator has flexible control on the resource(s) that the user is allowed to access.
  • IT administrator has the flexibility to customise or standardise the configuration of all the VMs if needed.
  • IT administrator has better visibility on the overall performances and activities 

Con

  • Suitable for remote support / helpdesk only with the user monitoring the remote supporter by the side, not for corporate remote access in general
  • User can use any password they like (no password strength enforcement)
  • Usually doesn’t have 2-Factor / Multi-Factor Authentication (2FA/MFA).
  • IT administrator has less /no control on the connection. Anyone with password can remote access the corporate machine.
  • As the user’s (personal) device might be connected inside the corporate network, there runs the risk of passing on malware if it has already been infected earlier.
  • Additional hardware, software and licenses are needed to build such infrastructure
  • Maintenance time, IT technical skillset and cost is high compared to other remote access approaches.

Security Advice

  • Remote control software should be kept updated to ensure that vulnerability is patched.
  • Use of strong password
  • If 2FA/MFA function is available, must use it immediately.
  • Ensure the protection mechanism is enabled to secure the user’s device before connecting to corporate network. (e.g. anti-malware installed, personal firewall is activated, limit applications running in the background, etc.)
  • Use of strong password
  • If 2FA/MFA function is available, use it immediately.
  • As VDI will usually be used for contingency purpose (e.g. Business Continuity Planning (BCP) or Disaster Recovery Plan (DRP)), IT administrator may overlook some of the security patching on certain sparsely-used OS or application, especially since most of the VMs have customised configuration.
  • So it is encouraged to have full inventory list of all the resources, in both physical and virtual environment.
  • Make sure the list up-to-date.
  • Use of strong password, for both IT administrator and users
  • If 2FA/MFA function is available, use it immediately.

Example*

  • GoToMyPC
  • Google Remote Desktop
  • TeamViewer

 

  • Cisco
  • Fortinet
  • Palo Alto
  • Sangfor
  • Citrix
  • Huawei
  • Microsoft
  • VMware

 

 

*Disclaimer:
HKCERT does not endorse specific vendor products. Inclusion of products in this reference list does not indicate endorsement by HKCERT. Tools are listed with no quality rating. The tools in this list are owned by tool developers or vendors and they can be modified any time. HKCERT does not verify the accuracy of these tools. If you have any question about these tools, please direct contact tool developers or vendors.