Keep Your Network Safe When Using XP's Remote Controls

When we first discussed XP's Remote Control tool in this space, we called it one of that operating system's "hidden gems: A built-in, simple way to control your PC from afar. It lets you do everything from basic file and data access up to fully taking over the keyboard and mouse of a distant PC, just as if you were sitting in front of it. What's more, XP Pro extends this remote-control ability to any and all versions of Windows -- all the way back to Win95, including Windows CE palmtop systems and XP Home -- via a FREE client software tool."

That first article runs through the similarities and differences among the tool's three major faces ("Remote Desktop," "Remote Desktop Web Connection," and "Remote Assistance"). It then shows you the pros and cons of each, shows you where to get the free client software, and most important, shows you how to use these remote-control options safely. If you're not familiar with these Remote Control services, that article would be a great place to start.

A more recent discussion in my newsletter delves further into some of the security implications of these services, and also prompted some excellent reader mail, such as this:

How secure is it? Well, there's no absolute measure for things like this, but the fuzzy answer is "adequate in itself, but easy to improve upon." Remote Control's encryption makes any actual data transfer relatively safe, but that's not the real danger. Rather, the more serious risk lies in some unauthorized person connecting to an idle PC with Remote Control enabled. At the least, they'd (obviously) have some access to data and files on that PC itself; and if the remote-controlled PC is on a LAN, then it's possible for the intruder to reach out to other PCs on the LAN, or even the server.Clearly, you have to be careful with this kind of technology: Anytime you leave a figurative "door" open to the online world, there's obviously more risk than otherwise. But a Remote Controlled system can be made reasonably secure if you use all the available security tools and techniques:

Beefing Up Local Security
First, let's make it a given that any PC used for Remote Control ("RC") will have a good software firewall running (no "hardware only" solutions, such as relying solely on a router or server-level protection; see this for more information). Second, the PC used for RC must have a current, active, and reliable antivirus tool running; and also will have active (e.g., monitoring) and passive (e.g., Registry lockdown) anti-malware protections in place.

There are many such software tools from which to choose, but a good current list might include:

Next, all unnecessary network-related services should be turned off on the remote-controlled PC, so that any users wishing to connect remotely are channeled through only known, controlled access points. For example, in most situations, you can safely disable "Messenger" services on the LAN; disable network PnP services; disable DCOM; etc. (See this site for free tools to control these services.) This closes several important "back doors" through which an intruder might try to enter.

By default, Remote Control (RC), when enabled, allows any member of that PC's Administrator's group to connect. Therefore, any PC used for RC must -- must -- have all admin-level accounts secured with very strong passwords; and the passwords should be changed regularly so that any password-related security breach will be self-closing when the passwords expire. (You can get more information on password aging and expiration by searching the XP help file on "password age." A search on the more general phrase "password policy" will bring up additional security-enhancing options for managing passwords on your XP PCs. The Microsoft Knowledgebase also contains additional good information on password aging, such as this .

Remote Control also can be set up to allow connection from specified non-admin users (right click My Computer/Properties/Remote then click "Select Remote Users..."). And that's actually the better way to use Remote Control: Connect with the lowest-privileged account that will let you accomplish your purpose. This way, even if someone makes an unauthorized connection to the non-admin account, they won't be able to do all that much. But, of course, even these lower-security Remote-Controllable accounts need strong passwords of their own to prevent people from easily breaking in in the first place.

File Sharing needs to be carefully managed. An admin-level user can decide how much free rein a non-admin user will have in seeing files on a system; it's possible to make each account's files more or less private, so that non-admin users can't simply traverse the folder structure at will, grabbing files from other accounts. For more info, see "How to configure file sharing in Windows XP."Controlling LAN Access
General LAN access likewise has to be managed, if the RC PC is on a network: Sensitive files on all the LAN's PCs should be locked down (either by setting up file-sharing access via Groups, or at least using password-level protection). It's probably OK to leave "Shared Folders" generally accessible; that's what they're there for: A remote user usually can drop off or pick up files in a Shared Folder without compromising the general security of a PC. But even the simple Shared Folder offers several security options, as is described in How to disable simplified sharing and set permissions on a shared folder in Windows XP. Use the highest security setting you can, short of making access too hard for normal use.And, of course, all admin accounts on all PCs and servers on any LAN also should have strong passwords. (Actually, it's simpler to say "all accounts on all systems must have strong passwords," but in the real world, that's probably not going to happen. So: at least the admin-level accounts must have strong passwords.)

The idea in all of the above, of course, is to make it hard for an intruder to discover the PC that can be controlled remotely; and then, if they do discover it, to make it hard for them to actually gain any access to that PC; and, if they do gain access, to make it hard for them to gain potentially harmful privilege levels on that PC; and to make it difficult for the intruder to access the LAN; and if they do get on the LAN, make it hard for them to gain access to other machines or files there.... Whew!

You get the idea: By having so many barriers in the way of an intruder, you can make illicit access highly unlikely in the first place; and then severely constrain potential exposure and damage, even in a worst-case scenario, where someone does hack into a RC PC.

It also helps enormously NOT to leave Remote Control enabled and available, until or unless it's going to be needed. For example, you might turn it on as you're leaving the office, and then turn it off from home when you're done for the night.

And note that in many of the above steps strong passwords are key: An intruder faced with a series of different, unique, difficult, and un-guessable passwords at every access level to a system or LAN faces a much harder task than otherwise. Absent some driving personal motivation, most casual hackers will simply give up and look for easier targets -- and that's what you want. Although in theory almost any system can be hacked, if you make yours much, much harder to get into than the guy next door's, most hackers will go after the easier target.For more information on safe passwords, see "How To Safely Store And Manage Passwords"; we'll also update the information in that article in an upcoming column.

Remote Control Services: Proceed With Caution
Once you start using them, you may wonder how you got along without XP's Remote Control services: I use it literally every day to help manage the PCs in my office.

But you do have to be aware of the security implications, and take proper steps to ensure that only authorized users can access the Remote Controllable PCs. With the information above, you should be able to do just that!

To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.To find out more about Fred Langa, please visit his page on the Listening Post.