Remote Access Security Best Practices
With the explosion of cloud technologies and widespread availability of broadband internet, many organizations are allowing employees to work remotely. After all, being able to work from anywhere enhances flexibility and productivity. But it’s not so rosy for the IT pros who need to set up the infrastructure to support remote work. As they strive to ensure seamless access to services and applications, other important projects are getting put on the back burner — including critical security-related initiatives. Cybercriminals are noticing that organizations are more vulnerable than ever, and are ramping up their attacks.
Checklist 1: Making your remote setup as secure as possible
No matter how far along you are in setting up your infrastructure to support remote office work, here are some valuable tips for making it as secure as it can be:
- Whenever possible, use managed devices. For every computer that connects to your network:
- Enable encryption using BitLocker for Windows and FileVault for macOS.
- Install antivirus protection and a firewall.
- Ensure all operating systems and other software are currently supported by the vendor.
- Keep all operating systems and other software up to date, with all critical updates installed.
- Enforce a good password policy, disable automatic login, and enable automatic lock.
- Enable “find my device” and remote lock/wipe capabilities.
- If you’re not able to use managed devices, give all employees an information security guide that explains the security measures required and recommended for remote workers.
- Conduct security awareness training for your employees on regular basis.
- To ensure network security use Virtual Private Network (VPN) to secure access to the corporate network. Remember that your remote users might use public Wi-Fi networks, so SSH is recommended for application security.
- If possible, use two-factor authentication to protect VPN accounts and cloud services from unauthorized access.
- Avoid using Remote Desktop Protocol (RDP). If you have to use RDP:
- Don’t expose RDP to the internet. All activity should go through a secure connection.
- Avoid direct RDP connections. If users need desktop access, RDP sessions should be forced through Remote Desktop Gateway (ideally, in a DMZ).
- Restrict RDP access to a whitelist of users and servers.
- Do not use default port numbers when setting up remote connections.
- If possible, restrict remote access to a whitelist of known-good IP addresses.
- Wherever possible, disable “everyone” and “anonymous” rights to restrict unauthorized access.
- Implement a strict security policy for third parties working in your network.
Checklist 2: Mitigating the risk of your widened attack surface
Taking the steps in the previous checklist will help make your environment more secure, but your attack surface is still larger than ever. Implement these best practices to further improve risk management:
- Follow basic housekeeping best practices. In particular:
- Identify all stale and unused accounts and then delete or disable them.
- Review all permissions and remove excessive and unused rights, especially remote access rights.
- Prune the number of privileged accounts.
- Overhaul your AD delegation model.
- Shut down or uninstall unused network services.
- Refine your Group Policy.
- Ensure that your password policy is configured correctly. Check your length and complexity requirements, focusing on ensuring passwords are easy to remember but hard to guess.
- Have an account lockout policy in place to prevent attackers from getting into your internal network by guessing a user’s password. But don’t make the number of failed attempts permitted before lockout so low that you cause frustration and loss of productivity for legitimate users, who will definitely make the occasional typo.
- Use Active Directory and Azure AD groups for access control across your infrastructure. Regularly review your groups and group membership to make sure no one has excessive permissions.
- Ensure that NTFS permissions and permissions to shared resources like SharePoint, SharePoint Online, OneDrive for Business and Teams follow the least-privilege principle.
- Follow auditing best practices in each of these areas:
- Configuration auditing — Make sure that the configuration of all critical resources matches your security baseline, and audit all configuration changes for errors and malicious activity.
- Access auditing — Monitor logons to both cloud and on-prem resources, as well as VPN logons.
- Activity auditing — Monitor user activity around data, especially activity around sensitive data and in cloud solutions that support remote workers, such as SharePoint Online, OneDrive for Business and Teams. Watch for suspicious group membership and permission changes that could indicate privilege escalation. And be on the lookout for spikes in suspicious activity around your network ports and VPN connections, especially port scans and failed login attempts, which could be a sign of password-spray or brute-force attacks.
- Perform an enterprise-wide security risk assessment. Pay particular attention to your remote services.
- Document your policies and distribute them to everyone who accesses your IT environment.