Safeguarding Remote Access in a Connected World

  • Article

**Security MVP Article of the Month – January 2009
**See other Security MVP Articles of the Month

by Dana Epp, Microsoft MVP, Enterprise Security and Developer Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2008 was an interesting year for the IT industry. With the economic slowdown, businesses have been tightening their spending everywhere, while simultaneously working to maximize the returns on their current investments.

One way to maximize investments is by increasing the productivity of staff and partners. Companies are exploring ways to take advantage of their existing IT infrastructure by offering staff the ability to work more effectively anywhere, anytime. Remote access is a critical component of this strategy, but it does have the potential to expose businesses to more risk than ever before.

Microsoft provides a set of remote access technologies, called a solution stack, for its server products. Most of this stack is available in through the Windows® Essential Server Solutions family of products. Built with the Windows Server® operating system as their foundation, the products and technologies in Windows Essential Server Solutions provide the environment and tools to mitigate and manage the risks of remote access while providing appropriate safeguards.

Every business has its own acceptable risk tolerance levels when it comes to its information assets. Internet-connected businesses, whether large or small, are equidistant from potential attacks from adversaries who may have motives to share, steal, or circumvent systems and data for their own gain. Whether for financial reasons or increased cyber street credibility, an attacker may want to gain access to systems that are connected online. Absolute security is a myth: With enough money and motive, no system is impenetrable. So when you think about security, think in terms of risk mitigation, not risk avoidance.

But this article isn’t about doom and gloom. By using good information security principles and practices you can make gaining access to your systems impractical, if not completely impossible for the threats to which you are susceptible to. And that is a driving force when thinking about mitigating risk from remote access. Our goal as IT professionals is to apply appropriate technical safeguards to reduce risk to an acceptable level for the businesses to which we are responsible. We may never be able to eliminate all risk, but we can make it difficult enough that the adversary will move on to far easier targets. The idea is to apply “just enough” security to get the job done. It doesn’t make sense to apply $10,000 worth of protection for an asset worth $1,000.

Windows Essential Server Solutions and Remote Access

The Windows Essential Server Solutions products are based on innovations that dramatically simplify the deployment, ongoing management, and use of server technology to help boost productivity and transform small and midsize businesses. The family of products includes Windows Server 2008, Windows Small Business Server 2008 and Windows Essential Business Server 2008.

Additionally, Windows Essential Server Solutions products use multiple technologies to provide remote access and increase the productivity of remotely connected staff and partners, including:

  • Remote Desktop
  • Terminal Services (TS) Gateway
  • TS Web Access and TS RemoteApp
  • Microsoft® Office Outlook® Web Access
  • Windows SharePoint Services
  • Remote Web Workplace
  • Virtual Private Networking

Remote Desktop

One of the easiest ways to connect to a Windows-based network is to use the Terminal Services Client (mstsc.exe), better known as Remote Desktop Connection. Terminal Services is one of the core Microsoft technologies that enables presentation virtualization, and using the Remote Desktop Protocol (RDP), you can connect to and manage the desktop of a remote computer from your local computer.

Terminal Services (TS) Gateway

Windows Server 2008 allows authorized remote users to connect to resources on an internal corporate or private network from any Internet-connected device that supports RDPv6. The device establishes a secure, encrypted connection using RDP over HTTPS, allowing remote users to connect to internal network resources without the need to reconfigure firewalls to use secondary ports. Because TLS/SSL is a commonly allowed protocol, remote users can directly connect to the network without the problems of typical firewall policies on either end of the connection.

TS Gateway is much easier to set up and manage than using a Virtual Private Network (VPN) to connect to the network before connecting to internal resources using RDP. And TS Gateway allows the use of Windows Security Health Checks to control the session through Network Access Protection (NAP).

TS Web Access and TS RemoteApp

Windows Server 2008 adds new capabilities to Terminal Services in the form of TS Web Access and TS RemoteApp. TS Web Access makes it possible to launch and run applications from your Web browser, while TS RemoteApp makes it possible to run remote programs that appear as if they are running locally on your computer. Instead of seeing the full desktop of the remote terminal server, the TS RemoteApp program is integrated with the client's desktop, running in its own resizable window with its own entry in the taskbar.

Office Outlook Web Access

Outlook Web Access (OWA) is updated and improved in Microsoft Exchange Server 2007. It allows users to access e-mail, shared folders, contacts, and calendaring from a Web browser.

Windows SharePoint Services

Windows SharePoint Services facilitates collaboration, provides content management, implements business processes, and supplies access to information that is essential to organizational goals and processes. All driven through a Web browser, users can gain access to a wealth of knowledge and information with just a few clicks.

Remote Web Workplace

As part of Windows Small Business Server and Windows Essential Business Server, Remote Web Workplace (RWW) is a front-end Internet-facing Web portal that provides secure unified access to Outlook Web Access, SharePoint services and remote desktops through a common interface.

Virtual Private Networking

Routing and Remote Access helps enable cost-effective, secure remote access to virtual private networks (VPNs). Users can establish a secure VPN between untrusted remote hosts and the server using L2TP or PPTP.

Common Technical Safeguards

Remote access to resources is a great productivity tool, but it requires the use of appropriate technical measures to safeguard your vital information assets. Windows Essential Server Solutions products allow IT professionals to help protect their networks and information assets, and can be further strengthened by:

  • Restricting access by IP address.
  • Restricting local logon policies.
  • Using strong authentication.
  • Using application-layer inspection.
  • Using identity assurance for critical Web-based applications.
  • Using “least privilege.”
  • Ensuring more secure communications.

Restricting Access by IP Address

Consider using IP restrictions. There is a good chance that if you are located in the United States that you won’t need to allow computers from foreign countries to access your system(s). The best way to control this would be to configure your firewall to block all access except from IP addresses that you trust to certain services. For example, you could restrict access to TCP port 3389 to the IP addresses of your remote users to limit access to Remote Desktop Connection. If you don’t know the exact IP addresses, open access by small subnets that the remote host belongs to. Although this is not perfect, it significantly reduces the chance that someone with hostile intent may try to access systems when you don’t want them to. Many ISPs have documented the subnets they own, allowing you to accept access to the bare minimum IP addresses from which the remote user will connect.

For Web applications such as OWA, Windows SharePoint Services and TS Gateway you can use the “IPv4 Address and Domain Restriction” option in Internet Information Services (IIS) 7 to apply IP restrictions similar those you would configure for your firewall. You reduce the attack surface of the application by only allowing trusted addresses to access such services.

Restricting Local Logon Policies

The Windows operating systems include the option to limit remote access by using the “Select Remote Users” option when managing Remote Desktop settings. Or, you can use Group Policy account restrictions in the Active Directory® service. By setting the “Log on locally” policy, you limit access to certain systems to only those users that actually need the access.

Using Strong Authentication

Consider using strong authentication to provide identity assurance. You can use smart cards and provide assurance through certificate-based public key infrastructure (PKI). Or you can use two-factor authentication systems like AuthAnvil from Scorpion Software (www.authanvil.com) or SecurID from RSA (www.rsa.com) to provide dynamic one-time passwords (OTPs) that change each time they are used.

Using Application-Layer Inspection

When using Terminal Services roles like TS Gateway, TS Web Access, and TS RemoteApp, consider using Microsoft Forefront™ Threat Management Gateway (TMG). Forefront TMG enables SSL-to-SSL bridging and performs application-layer inspection, allowing you to apply standard security policy checks against the incoming requests. And it offers pre-authentication capabilities to validate users before they even connect to the target system. There is a great article on TechNet by Dr. Thomas W. Shinder and Yuri Diogenes on how to do this in an earlier version previously called Internet Security and Acceleration (ISA) Server at https://technet.microsoft.com/en-us/magazine/2008.09.tsg.aspx.

Using Identity Assurance for Critical Web-Based Applications

Consider using HTTP modules or Internet server application programming interface (ISAPI) extensions that offer identity assurance checks before a Windows credential can even be entered. Both Scorpion Software’s AuthAnvil and RSA’s SecurID allow a strong authentication check before allowing access to the underlying Web application. This way you can prove the identity of any incoming user before allowing access to internal resources or applications, reducing the chance an attacker can exploit possible weaknesses in your Internet-facing application(s).

Using “Least Privilege”

The principle of least privilege requires that users be given no more privilege than necessary to perform their jobs. In Windows, you can enforce this by creating security groups defined by role of responsibility and restricting access through the application of those groups. You can then use these groups when applying access control lists (ACLs).  

For applications such as Windows SharePoint Services, you can manage access by applying user rights with site groups. SharePoint site permissions make it possible to apply fine-grain control by level to sites, lists, and pretty much any securable object in Windows SharePoint Services.

Ensuring More Secure Communications

Require all communications to use SSL/TLS. Since Web applications like OWA and Remote Web Workplace use Forms based authentication, you need to ensure you safeguard the credential that will be entered. And, always be sure to encrypt the traffic when sensitive data is being exchanged between trusted parties. By using SSL, you can gain that assurance.

Conclusion

Enhanced productivity through remote access provides many benefits to a business, but it also creates exposure to new risks. To mitigate these risks, you need to weight the risk accordingly and apply the appropriate technical safeguards to reduce them to an acceptable level.

Some of this is common sense. Limit your exposure by only allowing people you trust to access sensitive resources. When that is not possible, consider restricting the access in a way that can significantly reduce the attack surface so an adversary cannot even reach the services. Use strong passwords, and, when that’s not sufficient, consider using stronger authentication solutions such as smart cards or two-factor authentication.

Apply the principle of least privilege. Use the security controls of the operating system and applications to limit access to information resources to the bare minimum that is needed for users to do their jobs. Audit users’ access regularly to determine if you need to re-evaluate their access rights or educate them on what they are authorized to do.

Using the appropriate safeguards will allow you to take advantage of the productivity benefits of remote access without exposing yourself to undue risk. And, that is the ultimate goal.