Lesson 10 A Use Remote Access Technologies Flashcards
With remote desktop, the target PC runs a graphical
terminal server to accept connections from clients. This allows a user to work at the desktop of a different computer over the network.
Remote desktop is often configured for
laptop users working from home. Having gained access to the corporate network (via the Internet using a VPN, for example), they could then establish a remote desktop connection to a PC in the office. A technician can also use a remote desktop access tool to configure or troubleshoot a computer.
When allowing remote access to a host or network, you must assess and resolve security considerations:
Remote access permissions should be granted to accounts selectively using least privilege principles.
The connection must use encryption to be made secure against snooping. Users must have a means of confirming that they are connecting to a legitimate server to mitigate the risk of evil twin–type attacks. The server can be installed with a digital certificate to identify it securely.
The server software supporting the connection must be safe from vulnerabilities, especially when the server port is accessible over the Internet.
Remote Desktop Protocol
Windows uses the Remote Desktop Protocol (RDP) to implement terminal server and client functionality. To connect to a server via Remote Desktop, open the Remote Desktop Connection shortcut or run mstsc.exe . Enter the server’s IP address or fully qualified domain name (FQDN). Choose whether to trust the server connection, inspecting any certificate presented, if necessary.
You also need to define credentials for the remote host. To specify a domain account, use the format Domain\Username . To use a local account, use either .\ Username or Host\Username . RDP authentication and session data is always encrypted. This means that a malicious user with access to the same network cannot intercept credentials or interfere or capture anything transmitted during the session.
There are versions of the mstsc client software for Linux, macOS, iOS, and Android, so you can use devices running those operating systems to connect to an RDP server running on a Windows machine.
Virtual Network Computing
There are alternatives to using RDP for remote access. For example, in macOS, you can use the Screen Sharing feature for remote desktop functionality. Screen Sharing is based on the Virtual Network Computing (VNC) protocol. You can use any VNC client to connect to a Screen Sharing server.
VNC itself is a freeware product with similar functionality to RDP. It works over TCP port 5900. Not all versions of VNC support connection security. macOS Screen Sharing is encrypted.
RDP SERVER AND SECURITY SETTINGS
A Remote Desktop server is not enabled by default. To change remote access settings, open the Remote Desktop page in the Settings app.
Use the Select users link to define which accounts are permitted to connect remotely. Users in the local administrators group are allowed to connect by default. You can select users from the local accounts database or from the domain that the machine is joined to.
Under Advanced settings, you can choose between allowing older RDP clients to connect and requiring RDP clients that support Network Level Authentication (NLA). NLA protects the RDP server against denial of service attacks. Without NLA, the system configures a desktop before the user logs on. A malicious user can create multiple pending connections to try to crash the system. NLA authenticates the user before committing any resources to the session.
If Remote Desktop is used to connect to a server that has been compromised by malware, the credentials of the user account used to make the connection become highly vulnerable. RDP Restricted Admin (RDPRA) Mode and Remote Credential Guard are means of mitigating this risk. You can read more about these technologies at docs.microsoft.com/en-us/windows/security/identity-protection/remote-credential-guard.
The Remote Desktop server runs on TCP port 3389 by default but can be changed to another port.
There are also open-source implementations of RDP, such as XRDP. You can use XRDP to run an RDP server on a Linux host.
Microsoft Remote Assistance (MSRA)
allows a user to ask for help from a technician or co-worker via an invitation file protected by a passcode. The helper can open the file to connect over RDP and join the session with the user. There is a chat feature, and the helper can request control of the desktop.
Remote Assistance assigns a port dynamically from the ephemeral range (49152 to 65535). This makes it difficult to configure a firewall securely to allow the connection. Windows 10 feature updates introduced the Quick Assist feature ( CTRL+WINDOWS+Q ) as an alternative to msra.exe. Quick Assist works over the encrypted HTTPS port TCP/443. The helper must be signed in with a Microsoft account to offer assistance. The helper generates the passcode to provide to the sharer.
Secure Shell (SSH)
is also a remote access protocol, but it connects to a command interpreter rather than a desktop window manager. SSH uses TCP port 22 (by default). SSH uses encryption to protect each session. There are numerous commercial and open-source SSH products available for all the major OS platforms.
Each SSH server is configured with a public/private encryption key pair, identified by a host key fingerprint. Clients use the host key fingerprint to verify that they are attempting to connect to a trusted server and mitigate the risk of on-path attacks. A mapping of host names to SSH server keys can be kept manually by each SSH client, or there are various enterprise software products designed for SSH key management.
The server’s host key pair is used to set up an encrypted channel so that the client can submit authentication credentials securely. SSH allows various methods for the client to authenticate to the server. Each of these methods can be enabled or disabled as required on the server. Two commonly implemented methods are as follows:
- Password authentication—The client submits a username and password that are verified by the SSH server either against a local user database or using an authentication server.
- Public key authentication—The server is configured with a list of the public keys of authorized user accounts. The client requests authentication using one of these keys, and the server generates a challenge with the user’s public key. The client must use the matching private key it holds to decrypt the challenge and complete the authentication process.
Network visibility refers to
the challenge of ensuring that every host communicating on the network is authorized to be there and is running in a secure configuration. It is impractical for a technician to regularly locate and visit each device, so visibility depends on remote monitoring and management technologies.
There are two general classes of tools that provide this type of enterprise monitoring and remote access:
- Remote monitoring and management (RMM) tools are principally designed for use by managed service providers (MSPs). An MSP is an outsourcing company that specializes in handling all IT support for their clients. An RMM tool will be able to distinguish client accounts and provide support for recording and reporting billable support activity.
- Desktop management unified endpoint management (UEM)/mobile-device management (MDM) suites are designed for deployment by a single organization and focus primarily on access control and authorization.
Given those distinctions, these tools have many features in common. In general terms, any given suite might offer a mix of the following functionality:
- Locally installed agent to report status, log, and inventory information to a management server and provide integration with support ticket/help desk systems. Most suites will support both desktop (Windows/Linux/macOS) and mobile (iOS/Android) hosts.
- Agent that also performs endpoint detection and response (EDR) security scanning.
- Automated “push” deployment of upgrades, updates, security-scanner definitions, apps, and scripts plus management of license compliance.
- Remote network boot capability, often referred to as wake on LAN (WOL), plus ability to enter system firmware setup and deploy firmware updates and OS installs.
- Access control to prevent hosts that do not meet OS version/update or other health policies from connecting to the network.
- Live chat and remote desktop and/or remote shell connection to hosts.
A software agent depends on the OS to be running to communicate with the management server. The management suite can also be configured to take advantage of a hardware controller, such as Intel vPro or AMD PRO, to implement out-of-band (OOB) management and power on a machine remotely.
Enterprise monitoring suites are designed for
environments with large numbers of desktops, and the cost can be prohibitive when managing just a few machines. Other protocols and software tools are available for accepting incoming connections to non-Windows devices and can be more suitable for management of SOHO networks.
Screen-sharing Software
There are many third-party alternatives to the sort of screen-sharing and remote-control functionality implemented by MSRA/Quick Assist. Examples include TeamViewer and LogMeIn. Like Quick Assist, these products are designed to work over HTTPS (TCP/443) across the Internet. This is secure because the connection is encrypted, but also easier to implement as it does not require special firewall rules.
Some tools require the app to be installed locally, while others can be executed non-persistently. The user can grant access to an assistant or technician by giving them a PIN code generated by the local software installation.
Users must be made aware of the potential for threat actors to use social engineering to persuade them to allow access. When used in a corporate environment, there should be a specific out-of-band verification method for users to confirm they are being contacted by an authorized technician.
Video-conferencing Software
Most video-conferencing or web-conferencing software, such as Microsoft Teams or Zoom, includes a screen-share client, and some also allow participants to be granted control of the share. The share can be configured as a single window or the whole desktop. The share will have the privileges of the signed-in user, so these apps cannot be used to perform any administrator-level configuration, but they are useful for demonstrating a task to a user or reproducing a support issue by observing the user.
