Remote user security checklist

At some point in time, odds are you've had remote users connecting to your network. Telecommuting has several proven productivity and environmental benefits, but it doesn't come without its drawbacks -- mostly in the form of information security risks. What happens if your remote users' computers have viruses or they transmit sensitive e-mails and instant messages over an unsecured wireless link? How about when systems that aren't properly protected can connect directly to your network -- thus offering a direct inbound link to anyone wanting to get inside and poke around maliciously.

Arguably, lots of bad things can happen. Unauthorized information access can take place, information leakage can occur, and there's always a possibility that malware can seep in through your otherwise hardened network border.

Before you create any new policies or lock down your remote systems, it's very beneficial to determine which remote access vulnerabilities currently exist in your environment. Doing that not only finds missing patches, but it also digs in deeper to find misconfigurations, unnecessary shares, null session connections and other exploitable vulnerabilities you would not otherwise be able to dig up easily. I suggest you use a vulnerability assessment tool such as Tenable Network Security's NeWT, GFI Software Ltd.'s LANguard Network Security Scanner (my favorite low-cost scanner), Qualys Inc.'s QualysGuard (my favorite scanner overall).

Use one (or more) of these tools on your internally supported images for laptops and desktops and, if it makes sense, test remote systems owned by your users as well. If the latter is not an option for political or resource limitation reasons, you could easily document instructions for your remote users to do it themselves. Consider having them install and run the ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop security tips 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 How to get -- and keep -- user support with security Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Windows mobile device management Improvements to offline file synchronization in Windows 7 Google Chrome likely a niche player in Windows enterprise Mobile Device Manager joins Windows domains to mobile devices Citrix aims to dazzle with self-service portal, iPhone client Windows desktop endpoint security challenges podcast series Citrix to offer Intel-friendly client hypervisor Windows Mobile security tips for the on-the-go pro Security tools that can boost Windows mobile security Windows mobile security: Get it locked down Endpoint security quiz User passwords and network permissions 20 days to a more secure enterprise Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Reduce resistance to creating strong computer passwords

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Windows Remote Desktop  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Microsoft Baseline Security Analyzer (MBSA) on their systems and sharing the reports with you. You could even automate this via login scripts and/or Group Policy in Windows. Remember, there are reasons your organization's assets must be protected.

Once you've determined where your weaknesses exist and have addressed the issues, use the following checklist of common and not-so-common security safeguards to be sure you've got your remote systems locked down:

1. Ensure that personal firewall software is installed (Windows Firewall in XP SP2+, BlackICE and so on) and at least provides inbound protection -- outbound application protection is nice, especially if you can configure it so your users aren't hindered by the constant outbound connection requests.
2. Require malware protection (antivirus and antispyware) on every system and ensure that updates are being applied in real-time if possible to prevent unnecessary infections.
3. Enable strong file and share permissions on remote hard drives and other storage devices -- especially on Windows 2000 and NT systems that allow everyone full access by default.
4. Have a written policy and documented procedures in place for managing patches. For example, enable real-time Automatic Updates or roll out patches using an existing patch management system.
5. Disable null session connections as outlined here to prevent the unauthorized gleaning of user names, security policy information and more from remote systems.
6. Implement a VPN (the free Windows-based PPTP is a decent option) or make sure you're running a secure alternative connection such as Windows Remote Desktop or Citrix.
7. Remember to include remote users, computers and applications in your security incident response plan and disaster recovery plans. Those are common oversights that can rattle your nerves if they catch you off guard.
8. Your users will likely download and install IM, P2P and other applications that you can't support or otherwise make you nervous, so be prepared to prevent it in the first place via accounts with minimal privileges (think Windows Vista new feature) and periodic scans of systems looking for such software. Or, standardize on a small number of applications you can manage comfortably. They're going to do it anyway, so the latter option might be the easiest.

For systems configured to use 802.11-based wireless (or ones that may be used as such in the future), don't forget the following safeguards:

1. Enable WEP at a minimum since it's a lot better than nothing, but ideally have users enable WPA2-PSK with strong (20+ random characters) pass-phrases.
2. Require your users to use directional antennae instead of the omni-directional ones that come stock on practically all APs.
3. Enable MAC address controls, which help keep non-techies from snooping or accessing your network (techies know how to spoof their MAC addresses to get around this).
4. If possible, require a specific vendor/model of AP and wireless NIC to ensure they're hardened consistently according to your standards and so you can stay abreast of any major security alerts and necessary firmware or software updates.
5. Remember that users may connect to your network via public hotspots, so make sure you and they understand the security implications and have the proper safeguards in place.
6. Enable secure messaging if a VPN or other hotspot protection is not available via POP3s, SMTPs, Webmail via HTTPS and other built-in controls.
7. Disable Bluetooth if it's not needed. Otherwise, it's too risky by default so lock it down.

These relatively simple and mostly free remote access safeguards, combined with a reasonable information security awareness program, will go a long way toward securing your offsite computers and protecting those things you cannot afford to lose.

About the author: Kevin Beaver is an independent information security consultant, author and speaker with Atlanta-based Principle Logic LLC. He has more than 17 years of experience in IT and specializes in performing information security assessments. Beaver has written five books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver @ principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.