A Defensive Computing Checklist    by Michael Horowitz
NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022
HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

REMOTE CONTROL, REMOTE ACCESS

Aug 18, 2022: This page is not a checklist. It is also new and may not be fully fleshed out.

There are two approaches to remotely accessing a computing device (usually the remote device is a desktop computer, but the concept applies to laptops, phones and tablets too). I like to refer to the two approaches as inny and outty.

  1. When using an outty scheme, the remote computer makes an outbound connection to a middleman service. A local computer connects to the middleman service which handles the connection to the remote computer. This approach is relatively simple to setup. The remote computer is usually assigned a user-friendly name such as "BobsPC"
  2. The inny scheme lets the local computer connect directly into the remote one. This is more difficult to setup as holes need to be punched in the router firewall (port forwarding) and possibly even in the firewall of the remote device. The remote computer is often addressed by its public IP address and port number. Since the IP address can sometimes change, techies often setup DDNS names for the remotely accessible computers, which is another hassle.

The RDP service in Windows is an inny system. The Quick Assist feature in Windows 10 is an outty service. RealVNC used to be an inny service, then they added an outty option and now they charge more for the inny scheme.

An inny system should be more reliable as there is no dependence on the availability of the middleman service. Granted, it may depend on DDNS, but in my experience that has been very reliable.

SAFETY

Which is safer is a debatable point.

The big security issue with an outty system is the middleman company. Who knows if they can spy on the remote connection? I know of no way to audit this.

The big danger of an inny system is that it opens up the remote computer to the world, so bad guys anywhere can try to get into the remotely accessible computer. An inny system can be made safer, but it takes work. Here are some steps to increase the security of an inny scheme:

  1. Use a non standard port on the remote side for accepting incoming requests. This can be done both in the router and (hopefully) the server side remote software. Doing it in the router protects the WAN side, doing it in the server software protects from LAN side attacks. In the best case, a non-standard WAN port is forwarded by the router to a non-standard port on the LAN resident computer. For example, TCP port 5900 is used by VNC. So, in the best case, port 7011 (for example) is open in the router and it forwards to port 7012 in the remotely accessible computer.
  2. Use a long password that is not used anywhere for anything else
  3. Have the router log every attempted incoming connection on the open port. Not every router can do that. Peplink can.
  4. Periodically review these logs and have the router block the networks used by bad guys
  5. Have the server portion of the remote control software, log every attempted and successful incoming connection. Here too, review these logs
  6. Perhaps the biggest hammer in this toolkit is a restriction on the source IP addresses that are allowed to make a connection. Look into both the router and the remote server software for the availability of source IP rules. The down side to this is that as people move around, source IP rules will require updating. One way to avoid having to update the source IP rules is to use a small VPN provider and set the allowable source IPs to a couple of their VPN servers. A large VPN provider could have a dozen servers or more in a given city. But a small VPN company will have very few, maybe only one.

The classic response for securing any remotely accessible service is to place it behind a VPN. The downside to that is that it requires the care and feeding of a VPN server, not to mention obtaining one in the first place. And, assorted VPN servers have had their fair share of security flaws. To me, picking a consumer VPN provider and setting source IP rules that include a few of their VPN servers seems like a simpler approach that should be just as secure. Some consumer VPN providers will even provide a static public IP address, for an additional charge. That too, would make a great source IP address for locking down an inny remote control system.

 This page: 6 views per day (over 40 days)   Total views: 231   Created: August 18, 2022
This Page
Last Updated

August 18, 2022
Total Site
Page Views

 420,699
Site Page
Views Today

  2
Previous
Website View

4.7 minutes ago
Website by
Michael Horowitz
@defensivecomput
top
Copyright 2019 - 2022