Secure Remote Access

Establishing remote connections can be a risky process, as a lack of remote access security could allow hackers to gain access to privileged systems, resulting in data breaches, legal fees, and reputation loss.

However, a properly designed remote access tool can offer a highly secure connection to prevent unauthorized access. A remote access tool should use secure connection protocols with advanced encryption. The tool should also allow two-factor authentication and multi-level permissions for additional protection. In this case, remote access can be highly secure, allowing technicians and end users to establish system access and make file transfers without worrying about unauthorized intrusion.

There are several remote access protocols commonly used to establish secure connections between workstations or devices and remote access servers. A common protocol is Remote Desktop Protocol. RDP is a proprietary Microsoft protocol built to establish remote connections using Windows Terminal Services rather than the Citrix WinFrame product. RDP includes encryption and server authentication capabilities but can struggle with graphically taxing processes like remote video playback support. Dameware products are built to use RDP and VNC viewers to remote access computers running different operating systems.

• Serial Line Internet Protocol (SLIP): This protocol, developed by UNIX, operates within the physical and data link layers of the Open Systems Interconnection model to transmit TCP/IP over serial connections. SLIP capabilities are typically inexpensive to implement, but don’t include useful functions like error checking or packet addressing.
• Point-to-Point Protocol (PPP): Like the name suggests, this protocol creates connections through point-to-point links, like dial-up connections and dedicated lines. PPP is easily configurable and helps secure remote PC access by testing links between client and host machines using the Link Control Protocol (LCP). This enables PPP connections not only to authenticate negotiations between client devices and the remote access server, but to also compress and encrypt the negotiations. In contrast to SLIP connections, PPP includes error-checking capabilities and can operate on a variety of physical media. However, PPP requires greater financial investment and generally doesn’t support compatibility with older configurations.
• Point-to-Point Tunneling Protocol (PPTP): Using PPP connections as a foundation, this protocol involves creating a second dial-up session, which dials or “tunnels” through the active PPP remote connection to create a secure connection. This process is similar to how virtual private networks (VPNs) operate and is typically less expensive to implement than direct remote connections, making it an excellent option for administrators looking to establish network access between several LANs. However, while PPTP is straightforward and secure, the protocol is not viable for all server types and is not a universally accepted standard. PPTP connections can also impact throughput.
• Independent Computing Architecture (ICA): Designed by Citrix, this protocol specifies how data is to be transferred between client devices and remote access servers, without being limited by media or platform type. It allows for efficient, secure desktop sharing via remote access and LAN links—even for low-bandwidth connections—and is ideal for supporting large groups of remote end users. While highly efficient, this protocol requires significant investment in hardware and server processing power.
• Remote Desktop Protocol (RDP): In many ways similar to ICA, RDP is a proprietary Microsoft protocol that establishes remote connections using Windows Terminal Services rather than the Citrix WinFrame product. RDP includes encryption and server authentication capabilities but can struggle with graphically taxing processes like remote video playback support.

Secure remote access requires the right combination of best practices, technologies, and security solutions to ensure unexpected guests are unable to access remote sessions. Some frequently implemented solutions include:

• Multi-factor authentication: Authenticating remote user credentials with only a single password presents a significant security risk, which is why two-factor or multi-factor authentication is a common way to ensure remote access is compliance with most major data security regulations.
• Encryption: You should use a tool with AES 256-bit encryption standards for strong symmetric key encryption. It should also adhere to FIPS 140-2 validated encryption standards, which is a standard set by the U.S. government for non-military agencies. The tool should generate random encryption keys for each session.
• Session logs and recordings: Another way to help ensure remote access security is to use a tool that logs details of the session or allows video recording. In addition, any commands or file transfers between devices should be digitally signed to help ensure they’re not altered in transit.
• Single sign-on and password vaults: Single sign-on solutions consolidate employee and third-party credential authentication into dedicated databases, which can be used in combination with password vaults. These vaults can not only store and securely retrieve privileged access credentials, but many also track the usage of administrative passwords and by which users.
• Restrictive privilege access management: The policy of applying the minimum amount of necessary privileges to each user account is a key part of establishing secure remote access. Proper access management practices can help to prevent internal employees and vendors from unintentional or unauthorized access to remote sessions and other sensitive company assets and resources.
• Endpoint security: IT departments are better able to ensure compliance and security for on-premises devices and users, which is why adopting endpoint security solutions—such as firewalls, antivirus software, and VPNs—for remote workers is also advisable for more secure remote access.
• Network monitoring and auditing solutions: Real-time monitoring is the final key ingredient to maximizing the security of remote connections. As cyberthreats become increasingly sophisticated, having tools and sensors that can immediately detect anomalous behavior or unauthorized access. Auditing and reporting tools are also useful for highlighting network vulnerabilities and troubleshooting root causes.

SolarWinds Dameware Remote Everywhere (DRE) is designed to facilitate secure remote access and includes many tools and functions necessary for security, including multi-layer authentication, real-time session monitoring, session history reporting, AES-256 encryption designed for FIPS 140-2 compliance, and more. Dameware was also one of the first remote admin solutions to provide Smart Card authentication and interactive login.

DRE provides granular access control over attended and unattended remote access, allowing you to define user privileges and authorized activity within and without remote sessions. This also allows IT support teams to run updates and processes on workstations and devices in the background without interrupting end users, helping increase the efficiency without compromising security.

DRE includes a feature to create a master password for each workstation with the DRE Agent installed. Designed to prevent security misconfigurations and leaks in case the application’s privileged credentials become compromised, DRE’s master password function can be applied to critical network devices — such as domain controllers and web servers — to improve security across your infrastructure. This tool can be combined with DRE’s other security-boosting functions, which include the options to require the local user to authorize any incoming remote connections and to automatically lock the workstation when the remote session terminates.

To create a master password for each device, right-click the DRE Agent icon in the system tray and select Restore. Then navigate to the configuration window. In the upper-right corner there will be a padlock icon. The DRE Agent requires privileged access credentials to set the device’s master password; if the Agent is not operating under adequate privileges, then it will need to restart with proper permissions.

Once the Agent configuration window has relaunched, go to the Security menu. You see four options:

1. None: Selecting this option removes the DRE master password from the device, enabling all support team members with privileges to access unattended computers to connect to the device without additional authentication.
2. Dameware Remote Everywhere Password: This option will allow you to set the device’s master password. It needs to be a minimum of 8 characters and should include a mix of letters, numbers, and symbols for additional complexity.
3. Windows Account: Choosing this option allows all local or domain Windows accounts to initiate remote sessions, so long as the accounts have adequate privileges and a user profile on the local device.
4. Allow Restricted Accounts to Login to this Server: This option restricts session authentication privileges to local and domain administrators.

After you’ve created the master password, you can add another layer of security by enabling the option to require the remote device’s local user to authorize the initiation of a new remote session. This feature is designed to prevent hackers from accessing an unattended device. When you’ve finished configuring the password settings, click the open padlock icon to return the Agent’s privileges to their earlier restricted state.

While these instructions are explicitly for Windows host devices, they can also be performed similarly on devices running MacOS.

Other on-premises SolarWinds remote support tools:

• Dameware Remote Support
• Web Help Desk^®

Related Feautures:

• Remote Printing
• Remote Desktop Screen Sharing
• Remote Registry Editor Access
• Connect Remote Desktop With Command Line