4.13 Use remote access technologies

Introduction 

Imagine you’re a skilled mechanic who can fix any car, but instead of being in the garage, you’re miles away. With the right tools, you could still check engine problems, guide the owner through fixes, or even adjust the settings remotely. In the digital world, remote management tools allow us to do just that for computers and networks. These tools give you the power to assist others, solve technical issues, and keep systems running smoothly without being physically present. This lesson will equip you with the skills to use remote access software effectively, empowering you to troubleshoot and support users wherever they may be. 

Remote Desktop Overview 

Remote desktop allows a user to work on another computer’s desktop over a network, with the target PC running a graphical terminal server to accept these connections. This setup is commonly used by laptop users working from home or by technicians configuring or troubleshooting computers. 

For example, a remote user might connect to their office PC over the Internet, using a virtual private network (VPN) to secure the network link, and then open a remote desktop connection to access resources as if they were on-site. 

Security Considerations for Remote Access 

To keep remote access secure, it’s important to address the following points: 

  • Permission Control: Only select accounts should be granted remote access using least privilege principles, ensuring the minimum levels of access necessary are given to perform the task. 

  • Encrypted Connection: Remote access must use encryption to protect data from being intercepted by malicious users. 

  • Secure Server Software: Ensure the server software is safe from vulnerabilities, especially when accessed over the Internet. 

  • Server Authentication: The user must confirm they are connecting to a legitimate server to avoid “evil twin” attacks. This is typically done by installing a digital certificate on the server for secure identification.

Think of it as an electronic ID card for a server.  It contains the server’s public key and is issued by a trusted organization called a Certificate Authority (CA). 

Analogy: Imagine you’re at a party, and you want to make sure you’re talking to the real host and not an imposter. 

Digital Certificate: The host wears a special badge (digital certificate) given by a trusted party planner (Certificate Authority or CA). This badge proves they are the real host. 

Public and Private Keys: The host has a special lock (public key) on their door that everyone can see, and a matching key (private key) that only they have. This lock and key pair are used to secure their room. 

When you arrive at the party, the host shows you their badge.  You check the badge to make sure it was issued by the trusted party planner and that it’s still valid. 

If the badge is valid, you know you’re talking to the real host. You can then use the host’s public lock to securely exchange messages, knowing only the host can unlock them with their private key.   

This way, you can be confident you’re communicating with the real host and not an imposter (evil twin), keeping your conversations private and secure. 

Certificate Authority (CA): The party planner (CA) verifies the host’s identity and gives them the badge. Everyone trusts the party planner, so they trust the badge. 

Windows Remote Desktop Protocol (RDP) 

In Windows, the Remote Desktop Protocol (RDP) is used for remote access. To connect to a remote desktop, you can open the Remote Desktop Connection shortcut or run mstsc.exe, then enter the IP address or full domain name (FQDN) of the remote server. 

  • Authentication: Provide the correct credentials. For domain accounts, use Domain\Username; for local accounts, use .\Username or Host\Username. 

  • Encryption: RDP encrypts all authentication and session data, preventing interception on the same network. 

  • Session Limitation: Only one user can be signed in on an RDP session at a time. A new login will disconnect any current remote session. 

RDP clients are available for other operating systems like Linux, macOS, iOS, and Android, allowing cross-platform connections to a Windows RDP server. 

  • Cross-Platform Compatibility: Any VNC client can connect to a VNC server. 

  • Port and Security: VNC operates over TCP port 5900, but not all versions offer secure connections. However, macOS Screen Sharing is encrypted for secure access. 

Alternative Remote Access: Virtual Network Computing (VNC) 

Virtual Network Computing (VNC) is an alternative protocol that provides similar functionality to RDP and is widely used on macOS through its Screen Sharing feature, which is built on VNC. 

Enabling and Configuring the RDP Server 

The Remote Desktop server is off by default. To enable it, access the Remote Desktop page in the Windows Settings app. 

  1. User Permissions

    a. By default, users in the local Administrators group can connect remotely. 

    b. Additional users can be added through the Select users link. This allows you to add users from local accounts or from the domain if the computer is part of one. 

3. Security FeaturesRDP Restricted Admin (RDPRA) Mode and Remote Credential Guard: These features protect your credentials if the server has been compromised by malware. Learn more at Microsoft’s Remote Credential Guard documentation

2. Advanced Security Settings

a. Network Level Authentication (NLA): You can require NLA for added security. NLA authenticates the user before any system resources are committed, preventing denial of service (DoS) attacks where multiple pending connections could crash the system. 

b. Support for Older Clients: If needed, enable compatibility for older RDP clients. 

4. Port Configuration: The Remote Desktop server uses TCP port 3389 by default, but it can be changed if needed for security or network configuration reasons. 

RDP Server Limitations and Alternatives 

  • Windows Home Editions: These do not include an RDP server, so they cannot accept RDP connections. However, the client is available, allowing connections to other computers. 

  • Linux Compatibility: XRDP is an open-source RDP implementation, enabling you to run an RDP server on a Linux system. This is helpful for cross-platform remote access. 

Microsoft Remote Assistance (MSRA) and Quick Assist 

Microsoft Remote Assistance (MSRA) allows users to request help from a technician or co-worker through an invitation file protected by a passcode. When the helper opens the file, they can connect over RDP to the user’s session. The tool offers a chat feature and allows the helper to request control of the desktop

Port Configuration: Remote Assistance uses dynamic port assignments from the ephemeral range (49152 to 65535). This range makes it challenging to configure a firewall to allow MSRA connections securely. 

Quick Assist is a newer alternative introduced in Windows 10 updates, activated by CTRL + START + Q. Quick Assist: 

  • Uses HTTPS (TCP/443), a more secure, encrypted connection. 

  • Requires the helper to log in with a Microsoft account to generate a passcode for sharing with the user. 

Limitations: Both Remote Assistance and Quick Assist cannot perform tasks needing User Account Control (UAC) consent in their default settings. Adjusting UAC for these tools involves either: 

  • Disabling Secure Desktop for UAC. 

  • Reducing UAC notification levels, which may lower overall system security. 

Key Components of SSH: 

  • Host Key Verification: Each SSH server has a public/private key pair used to establish a secure connection. The client verifies the server’s identity using the server’s host key fingerprint. This step mitigates the risk of on-path attacks. Host key fingerprints are either stored manually by each client or managed through enterprise SSH key management tools. 

Secure Shell (SSH) 

Secure Shell (SSH) is a remote access protocol designed for connecting to a command interpreter rather than a graphical desktop environment. By default, SSH operates over TCP port 22 and uses encryption to protect each session. SSH is available across various operating systems with both commercial and open-source options. 

  • Authentication Methods

    • Password Authentication: The client submits a username and password, verified by the SSH server. The server checks this information against its local user database or an external authentication server. 

    • Public Key Authentication: The server is configured with a list of public keys for authorized users. The client must use the matching private key to respond to a server challenge. If successful, authentication is granted without a password. 

Security Considerations 

Monitoring SSH Keys: Regular monitoring for and removing any compromised client public keys is essential. Poor SSH key management has led to recent attacks, emphasizing the need for careful key monitoring and updates. 

Network Visibility and Remote Management 

Network visibility is the challenge of ensuring that each device on a network is authorized and securely configured. Instead of visiting each device in person, technicians rely on remote monitoring and management (RMM) and desktop or unified endpoint management (UEM/MDM) tools for oversight and control. 

Types of Remote Management Tools 

  1. Remote Monitoring and Management (RMM)

    a. Primarily used by managed service providers (MSPs) to oversee client networks. 

    b. Includes tracking of billable support activity for client accounts. 

2. Desktop Management or UEM/MDM Suites

    a. Deployed within a single organization for access control and device authorization

    b. Focuses on maintaining a secure and authorized device configuration across desktops and mobile devices. 

Common Features of Remote Management Tools 

  • Local Agent: Installs on each device to report status, log information, and support help desk/ticket systems for Windows, Linux, macOS, iOS, and Android hosts. 

  • Security Scanning: Provides Endpoint Detection and Response (EDR) to scan devices for threats. 

  • Automated Updates: Pushes upgrades, updates, apps, scripts, and ensures license compliance across devices. 

  • Network Boot and Firmware Access

    • Wake on LAN (WOL) enables remote booting. 

    • Allows technicians to access system firmware setup, update firmware, and install operating systems. 

  • Access Control: Prevents unapproved devices or those not meeting health standards from joining the network. 

  • Remote Support Tools

    • Enables live chat, remote desktop, or remote shell access to devices. 

Out-of-Band (OOB) Management 

A software agent on the device needs the operating system to be running to communicate with the management server. For more advanced control, hardware controllers like Intel vPro or AMD PRO support out-of-band (OOB) management, enabling remote power-on and access even if the OS is not running. 

Managing SOHO Networks with Screen-Sharing, File Transfer, and VPN Tools 

In smaller network environments, like Small Office/Home Office (SOHO) setups, costly enterprise tools may not be practical. Fortunately, several protocols and software tools are available to provide remote access, file transfer, and secure connections in simpler, cost-effective ways. 

Screen-Sharing Software 

Screen-sharing tools allow remote control over a device, often used by technicians to assist users. Options like TeamViewer and LogMeIn function over HTTPS (TCP/443), making them secure and firewall-friendly without special configurations. 

  • Access Setup: Some tools require installation, while others work temporarily through a non-persistent mode

  • Access Control: Users grant access by sharing a PIN code generated locally. 

  • Security Awareness: Users should be informed of the risk of social engineering attacks and verify technician identities via a secure verification method

Video-Conferencing Software with Screen Sharing 

Tools like Microsoft Teams and Zoom support screen-sharing capabilities. These are ideal for non-technical support tasks where visual demonstrations are helpful. 

  • Usage Limitations: Shares have the privileges of the current user and are limited to non-administrator tasks

  • Application: Useful for demonstrations and user support observations

File Transfer Software 

Setting up a network file share can be challenging in small networks, so alternative file transfer software can simplify this process: 

  • AirDrop (iOS/macOS): Uses Bluetooth for a Wi-Fi Direct connection. 

  • Nearby Sharing (Windows 10+): Microsoft’s AirDrop version, with Bluetooth-enabled sharing. 

  • Nearby Share (Android): Allows Bluetooth-enabled file transfers for Android devices. 

Security Note: Users should only accept file transfer requests from trusted contacts to avoid unsolicited transfers. There may also be security risks tied to accepting connections from unknown devices

Virtual Private Networks (VPNs) 

Unlike individual host connections, a VPN links a user’s local computer directly to a remote network through a secure, encrypted tunnel. VPNs provide an added security layer for remote desktop and file access without exposing critical firewall ports: 

  • Functionality: Establishes a private connection to a network. 

  • Security: Reduces the need to open remote desktop ports, minimizing firewall vulnerabilities. 

By using these tools appropriately, even small networks can have secure and flexible remote access, data sharing, and support capabilities. 

Summary 

Remote management tools and protocols make it easier than ever to stay connected, share information, and solve problems in any environment, whether you’re working in a large enterprise or a small office setup. Screen-sharing software, video-conferencing tools, and file transfer options simplify collaboration, while VPNs add a secure layer for connecting to private networks. By mastering these tools, you’re equipped to help others effectively and ensure safe, efficient access to network resources—no matter where you or your colleagues are working.