At some point in time, odds are you've had remote users connecting to your network. Telecommuting has several proven productivity and environmental benefits, but it doesn't come without its drawbacks -- mostly in the form of information security risks. What happens if your remote users' computers have viruses or they transmit sensitive e-mails and instant messages over an unsecured wireless link? How about when systems that aren't properly protected can connect directly to your network -- thus offering a direct inbound link to anyone wanting to get inside and poke around maliciously.
Arguably, lots of bad things can happen. Unauthorized information access can take place, information leakage can occur, and there's always a possibility that malware can seep in through your otherwise hardened network border.
Before you create any new policies or lock down your remote systems, it's very beneficial to determine which remote access vulnerabilities currently exist in your environment. Doing that not only finds missing patches, but it also digs in deeper to find misconfigurations, unnecessary shares, null session connections and other exploitable vulnerabilities you would not otherwise be able to dig up easily. I suggest you use a vulnerability assessment tool such as Tenable Network Security's NeWT, GFI Software Ltd.'s LANguard Network Security Scanner (my favorite low-cost scanner), Qualys Inc.'s QualysGuard (my favorite scanner overall).
Use one (or more) of these tools on your internally supported images for laptops and desktops and, if it makes sense, test remote systems owned by your users as well. If the latter is not an option for political or resource limitation reasons, you could easily document instructions for your remote users to do it themselves. Consider having them install and run the Microsoft Baseline Security Analyzer (MBSA) on their systems and sharing the reports with you. You could even automate this via login scripts and/or Group Policy in Windows. Remember, there are reasons your organization's assets must be protected.
Once you've determined where your weaknesses exist and have addressed the issues, use the following checklist of common and not-so-common security safeguards to be sure you've got your remote systems locked down:
- Ensure that personal firewall software is installed (Windows Firewall in XP SP2+, BlackICE and so on) and at least provides inbound protection -- outbound application protection is nice, especially if you can configure it so your users aren't hindered by the constant outbound connection requests.
- Require malware protection (antivirus and antispyware) on every system and ensure that updates are being applied in real-time if possible to prevent unnecessary infections.
- Enable strong file and share permissions on remote hard drives and other storage devices -- especially on Windows 2000 and NT systems that allow everyone full access by default.
- Have a written policy and documented procedures in place for managing patches. For example, enable real-time Automatic Updates or roll out patches using an existing patch management system.
- Disable null session connections as outlined here to prevent the unauthorized gleaning of user names, security policy information and more from remote systems.
- Implement a VPN (the free Windows-based PPTP is a decent option) or make sure you're running a secure alternative connection such as Windows Remote Desktop or Citrix.
- Remember to include remote users, computers and applications in your security incident response plan and disaster recovery plans. Those are common oversights that can rattle your nerves if they catch you off guard.
- Your users will likely download and install IM, P2P and other applications that you can't support or otherwise make you nervous, so be prepared to prevent it in the first place via accounts with minimal privileges (think Windows Vista new feature) and periodic scans of systems looking for such software. Or, standardize on a small number of applications you can manage comfortably. They're going to do it anyway, so the latter option might be the easiest.
For systems configured to use 802.11-based wireless (or ones that may be used as such in the future), don't forget the following safeguards:
- Enable WEP at a minimum since it's a lot better than nothing, but ideally have users enable WPA2-PSK with strong (20+ random characters) pass-phrases.
- Require your users to use directional antennae instead of the omni-directional ones that come stock on practically all APs.
- Enable MAC address controls, which help keep non-techies from snooping or accessing your network (techies know how to spoof their MAC addresses to get around this).
- If possible, require a specific vendor/model of AP and wireless NIC to ensure they're hardened consistently according to your standards and so you can stay abreast of any major security alerts and necessary firmware or software updates.
- Remember that users may connect to your network via public hotspots, so make sure you and they understand the security implications and have the proper safeguards in place.
- Enable secure messaging if a VPN or other hotspot protection is not available via POP3s, SMTPs, Webmail via HTTPS and other built-in controls.
- Disable Bluetooth if it's not needed. Otherwise, it's too risky by default so lock it down.
These relatively simple and mostly free remote access safeguards, combined with a reasonable information security awareness program, will go a long way toward securing your offsite computers and protecting those things you cannot afford to lose.
About the author: Kevin Beaver is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Beaver has written five books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.
