US +1 770-622-2850;   EU +44 (0) 12-1286-4600

PC Remote Control – Security Challenges and Solutions

By Colin Bartram, Director of Technology, Vector Networks

Any IT support manager will confirm that fast, reliable, network efficient and full-featured remote control is the cornerstone of effective PC user support. But over the years, with rival vendors competing to provide savvy customers with the strongest feature line up, the potential for causing mayhem with these features has increased correspondingly.

Unless functionality is moderated with security provisions, and unless users are diligent in exploiting the security provisions, there is massive potential for adding to a leading source of corporate fraud – internal security failures.

Massive new responsibilities for data security are being placed on corporations and their officers through legislation such as SOX and HIPPA.  To ensure compliance, it makes sense to review the typical capabilities of modern remote control tools and a selection of the security measures that will be required for safe implementation.

Security Basics

It is a de-facto requirement today that the granularity of control of access to remote control features be accomplished by creating groups of remote control Console users in Active Directory (AD) or NT. So a pre-requisite for strong security in an advanced PC remote access and control installation is a well administered AD or NT security structure.

If the AD/NT user group administration is sloppy, it will likely open the door to breaches of security via remote control abuse.  But if we can assume AD/NT user groups are properly managed, the first step to securing remote control can be taken by generating Console ‘Control Profiles’ that regulate the functionality presented to the remote control user depending on their logon.  For example, it is quite likely that a large majority of application support calls can be serviced through the basic ‘Share’ mode of remote control – with a large percentage of other remote control features, such as file transfer, simply not relevant. Only a small number of specialists need access to the full range of functionality, such as file transfer, remote execute, remote registry edit. This last capability is so powerful, and so dangerous in the wrong hands, that in Vector’s PC-Duo Remote Control it is shipped as disabled by default, and has to be specifically enabled within a Control Profile. Control Profiles will themselves, of course, be accessible solely to those with password controlled administrative privileges.

The Need for Flexibility to Reflect the Desktop User Community

The security risks inherent in remote access and control will vary massively with the responsibilities of the users of the remote PC (‘Client’) concerned. The activities of personnel in areas such as HR, Internal Audit, Legal Services, etc, and what they are viewing on their desktop monitors, may be regarded as subject to the highest level of protection.  In these instances, access should be enabled for only a very few highly trusted members of the support team.  In other words, irrespective of whether a Control user has been granted the ability to use a particular feature, the desktop users must have the ultimate say in whether a particular Control user is allowed to connect, and if so, for what purpose.

This flexibility can be achieved through a mechanism of Client Security Profiles in which the administrator defines at a granular level what rights to grant the members of each of Control user AD/NT security groups. For example, the administrator can devise Profiles which will regulate access to particular directories for file transfer or edit, control the modes of remote control (most products today will offer View, Share and Control (lockout) modes), determine whether or not each remote control session will be logged, determine whether the remote execute function is enabled, etc.  In the evolution of a product as sophisticated as Vector’s PC-Duo Remote Control, customers have driven the process of making virtually all functionality subject to the governance of the Client Security Profiles.

Security – the personal touch

Over the years, the identity of the Control, as seen at the Client, has evolved to three levels – the name of actual logged on user at the Control, the identity of the Control machine, and the security group to which the logged on user belongs.  For one major user with more than 40,000 licensed PCs, it was stipulated by the desktop user community that if a technician wanted to connect to their desktop, they wanted to know who the actual technician was, where they were connecting from, and, of course, the reason for the connection. Short of turning up in person with photo-id, there was not a lot more that the support team could offer. (Perhaps photo-id of the connecting technician will arrive soon as another feature enhancement.) But the point of this is that the security of the desktop user can often be an emotive subject. The intrusive capabilities of remote control must often be carefully positioned and in consultation with those involved.

Record and Replay - Security that works both ways

Many of the security provisions in a quality remote control product will inherently protect the interests of both the Control and Client parties.  A help desk support analyst cannot be accused of a security breach if his or her Control installation is inherently incapable of facilitating the breach.  But there is one function, available in the more advanced remote control products, where this bi-lateral aspect to the security is very clear: Record and Replay.

In the case of Vector’s PC-Duo Remote Control, the first major application of the record and replay function was in a European bank, where it was mandated that all remote control sessions to PCs in the internal audit department be recorded, so that it could be demonstrated that no confidential information had been divulged to a help desk analyst.  However, it rapidly became apparent that it could be equally important to the help desk analyst to be able to call on a recording of a remote control session as the indisputable record of the session’s content.  It was only a matter of time before the widespread adoption of Service Level Agreements between help desks and user departments created a second requirement to be able to demonstrate the duration and content of a remote support session.

In environments where user permission is not required to initiate a remote control connection, Record and Replay can also have a near magical effect in reducing the amount of time spent on personal Web browsing and playing games.

Network snooping – a fashionable threat

Packet capture tools are now so readily available that the threat to the security of a remote control session from network snooping is no longer coming just from the hacking specialist with aggressive motives, but also from the inventive geek with too much time on their hands.  Encryption of all network traffic in a remote control session, from screen change messages to individual keystrokes, is now mandatory for many security conscious organizations.  One might expect that all organizations are security aware, but the astonishing extent of insecure wireless networks suggests that naivety is still with us in this regard.  The Pentagon endorsed AES standard is now widely adopted, and although many remote control products support other standards, Vector Networks believes that AES is the encryption standard of choice for most of our customers.

Summary: Denying security breaches in PC Remote Control

It is not the author’s intent to deter anyone from employing remote control, but the scope for abuse must not be underestimated. The greatest opportunity for abuse arises through unregulated access to functionality, and I recommend that customers look for regulation of functionality that is applied at both the Control and Client ends of the remote access and control session. There should be no significant performance reason to disable encryption, and there is every reason to keep it at the highest level offered by your chosen product. Traceability, with secure logging, is another significant deterrent, along with complete record and replay at the pinnacle of this functionality.  In our experience, the emphasis on confirming identity when requesting permission to connect is more of a comfort factor than anything else, but a comfortable user community must be every user support manager’s dream.