Remote Access Security Best Practices
Remote work has exploded in recent years. But while this workforce model increases flexibility for users, it’s not so rosy for the IT pros who need to set up the infrastructure to support remote work. As they strive to ensure seamless access to services and applications, other important projects get put on the back burner — including critical security-related initiatives. Cybercriminals are noticing that most organizations are more vulnerable than ever, and are ramping up their attacks.
The following checklists can help you strengthen your cybersecurity in the age of remote and hybrid work.
Checklist 1: Making your remote setup as secure as possible
No matter how far along you are in setting up your infrastructure to support remote work, here are some valuable tips for making it as secure as it can be:
- Whenever possible, use managed devices. For every device that connects to your network:
- Enable encryption using BitLocker for Microsoft Windows and FileVault for macOS.
- Install antivirus protection and a firewall.
- Ensure all operating systems and other software are currently supported by the vendor.
- Keep all operating systems and other software up to date, with all critical updates installed.
- Enforce password policy, disable automatic login and enable automatic lock.
- Enable “find my device” and remote lock/wipe capabilities.
- Whether or not you use device management, give all employees a security guide that explains the cybersecurity measures required and recommended for remote workers.
- Conduct threat awareness training for your employees on regular basis.
- Use VPN — remember that your employees might use public Wi-Fi networks.
- If possible, use multifactor authentication (MFA) to protect VPN accounts and cloud services from unauthorized access.
- Avoid using Remote Desktop Protocol (RDP). If you have to use RDP:
- Don’t leave RDP exposed to the internet. All activity should be go through a secure connection.
- Don’t allow users to connect directly. RDP sessions should be forced via Remote Desktop Gateway (ideally, in a DMZ).
- Restrict RDP access to a whitelist of users and servers.
- Do not use default port numbers when setting up remote connections.
- If possible, restrict remote access to a whitelist of known-good IP addresses.
- Wherever possible, disable “everyone” and “anonymous” access.
- Enable Network Level Authentication (NLA) to secure remote desktop connections. NLA contributes to RDP security by requiring RDP clients to authenticate before establishing a session. NLA also protects against intercepted credentials (man-in-the-middle attacks).
Checklist 2: Mitigating the risks of your widened attack surface
Taking the steps in the previous checklist will help make your environment more secure, but your attack surface is still larger than ever. The following tips will help administrators further mitigate the risk of breaches and other security incidents:
- Follow basic housekeeping best practices. In particular:
- Identify all stale and unused accounts and then delete or disable them.
- Review all permissions and remove excessive and unused rights, especially remote access rights.
- Prune the number of privileged accounts.
- Overhaul your AD delegation model.
- Shut down or uninstall unused network services.
- Refine your Group Policy.
- Ensure that your password policy is configured correctly. Check your length and complexity requirements to encourage passwords that are easy to remember and hard to guess.
- Have an account lockout policy in place to prevent attackers from getting into your network by repeatedly trying to guess a user’s password. But don’t make the number of failed attempts permitted before lockout so low that you cause frustration and loss of productivity for legitimate users who make the occasional typo.
- Use Active Directory and Azure AD groups to control access across your infrastructure. Regularly review your groups and group membership to make sure no one has excessive permissions.
- Ensure that NTFS permissions and permissions to shared resources like SharePoint, SharePoint Online, OneDrive for Business and Teams follow the least-privilege principle.
- Follow auditing best practices in each of these areas:
- Configuration auditing — Make sure that the configuration of all critical resources matches your security baseline, and audit all configuration changes for errors and malicious activity.
- Access auditing — Monitor logons to both cloud and on-prem resources, as well as VPN logons.
- Activity auditing — Monitor user activity around data, especially activity around sensitive information and in cloud solutions that support remote workers, such as SharePoint Online, OneDrive for Business and Teams. Watch for suspicious group membership and permission changes that could indicate privilege escalation. And be on the lookout for spikes in suspicious activity around your network ports and VPN connections, especially port scans and failed login attempts, which could be a sign of password-spraying or brute-force attacks.
- Perform an enterprise-wide risk assessment. Pay particular attention to your remote services.
- Stay on top of new vulnerabilities and keep your environment up-to-date, whether on-premise, cloud or virtual.
- Document your policies and distribute them to everyone who accesses your IT environment.