14.4 Remote Login

Users should never need remote access to their machines from outside the network. In addition, it is very doubtful that users would need remote access to their machines from within the network.

To that end, all remote access software should be disabled on workstations; this includes products like PCAnywhere, VNC, SSH, and Terminal Server. Understand that does not mean these software packages should not be installed on corporate workstations; there are very valid business reasons for using most of them. Instead, these products should not be used to allow remote access into the workstation ”even from within the network.

Firewall rules will stop remote users from trying to access workstations but that does not stop them from using these tools within the network. In order to stop this, a security auditing system should be put in place. This will be discussed in detail in Chapter 16, but it boils down to using a network scanner to scan workstations looking for ports that should be closed, but are open . Security audits , performed on a regular basis, can help spot security holes before they cause problems.

It is not necessary, or advisable, to disable remote access to workstations completely. Administrative personnel often need access to workstations to investigate a problem or install new software. Most network operating systems have built-in facilities to manage these types of tasks , and they should be used.

As with anything else, before using a remote login service to administer machines, make sure that all of the security risks are analyzed . If an attacker can sniff the administrative password to a workstation when a desktop support person logs in remotely, consider a different method of remote access. Whatever type of remote access system is chosen by administrators, it is important that all messages between the administrator and the workstations are properly encrypted.