There are many ways to gain remote access to a system. In this video, you’ll learn about Remote Desktop Protocol, Virtual Network Computing, secure shell, remote monitoring and management, and much more.
In information technology, a feature that you will often use is the ability to see and control a desktop across the network. We refer to this as remote desktop connections, and there’s different types of connections depending on what operating system you’re connecting to. For example, if you’re connecting to a Windows device, then you’re probably using Microsoft’s Remote Desktop Protocol or RDP. And although RDP is primarily a Windows technology, there are clients available for many different operating systems.
So you could be running Mac OS, Linux, and other operating systems and connect via RDP to a Windows device. If you’re not running Windows, then you don’t have access to RDP. But there are technologies that are very similar for Mac OS and Linux. One of these is VNC, or Virtual Network Computing. This uses RFB, or Remote Frame Buffer protocol to be able to communicate with this remote desktop.
There are clients available for VNC on many different operating systems, including Windows, and you can commonly find them as open source projects. If you work in a support role then you’ll be using these remote desktop technologies quite a bit. This technology is so good that even the scammers are using it as a way to provide access to your computer.
In fact, there have been a number of cases where a poorly implemented Microsoft RDP implementation has resulted in people gaining access to systems they should normally not have access to. One way to tell if a system is listening for an RDP connection is to see if TCP port 3389 is currently open on that device. If an attacker finds that port is open, they’ll try connecting to that device and they’ll keep trying different passwords until they find one that works.
This same security concern also applies to VNC and all of the third party remote desktop systems. These are often just secured with a username and password, and it’s very common for people to reuse those credentials from system to system. And once somebody gains access to a system using remote desktop, they effectively have full control of that system. They can use the desktop, jump to other systems, or go through the current machine to collect personal information, or make online purchases.
Another type of remote access comes in the form of a VPN, or Virtual Private Network. With so many people working at home, we’ve become very accustomed to using VPN technology on today’s networks. Everyone using this VPN is commonly connecting to a central concentrator. This is a single device that handles the encryption and decryption of these VPN tunnels. This is sometimes a standalone device, but you can often find it integrating into other devices such as a firewall.
You can also build your own VPN concentrator by installing Linux and installing some specialized cryptographic hardware. And there are other systems that are software only for limited implementations. To use this VPN, we would install client software on everyone’s machine, and many operating systems include a VPN client that’s built into the OS. This VPN client can be configured for on demand access. So when we need to use the VPN, we would turn on the VPN software. And when we want to disconnect from the VPN, we would click a button to disconnect.
Other VPN software can be implemented as always on. So the moment you turn on your machine and log in, you’re always connected over that VPN link. Here’s a pretty common VPN implementation. We have our corporate network where we have our servers, and printers, and other resources. There’s a VPN concentrator that sits right in front of the corporate network. We have our internet connection, and here’s our device a laptop that’s at a local coffee shop.
This corporate network is behind the firewall. You can’t connect to that network from the coffee shop directly. So we need to load our VPN software and turn on that software to create an encrypted link between our laptop and the VPN concentrator. The concentrator will receive that encrypted data. It will decrypt the information we’re sending in and send that in the clear non encrypted information into the corporate network.
This process reverses itself on the way back, information is sent from the corporate network into the VPN concentrator, who then encrypts all of that data, sends it across the encrypted tunnel, and back on our laptop. We decrypt that information to be able to see what was sent to us. These VPN networks are using very strong encryption. This is not the type of encryption you would be able to hack or somehow break into if you gained access to the data.
This means the attackers commonly don’t go after the data. They instead go after the endpoints so they can gain access to the VPN network. So being able to log in to the VPN network with a very secure username and password becomes important. And in many cases, we provide additional credentials through the use of multifactor authentication, or MFA. This means that we might add a username, a password and then include a code that we receive from our phone as an additional authentication function.
If you’re a server administrator, you’re probably administering those servers across the network using the encrypted protocol SSH. SSH stands for Secure Shell, and it’s a way to securely communicate at the command line of these remote devices. This is very similar to the text based communication you would see with Telnet. The difference with Secure Shell of course, is that all of this information being sent across the network is being sent in encrypted form.
This means if someone does gain access to the data being sent across the network, they wouldn’t be able to understand anything inside of those packets. Like a VPN, the attackers know that gaining access to the data doesn’t help them very much. Instead, they need to either try attacking the server or attacking the server through an existing client. As a way to provide additional authentication with an SSH session, we can define a public and private key pair so the only way a device would be able to gain access via SSH is to use one of these pre-defined key pairs.
Your SSH service should also be configured to only allow someone to log in from certain accounts. For example, you wouldn’t want someone to be able to SSH in to a device using route as the log in. And you can also provide additional criteria. For example, you could configure your firewall to block any SSH sessions unless they were coming from a trusted IP address.
Many organizations will contract with a managed service provider, or MSP, for constant monitoring of their network. And technically, the managed service provider can be anywhere in the world and use the internet to be able to communicate inbound to that customer’s network. This is commonly referred to as remote monitoring and management, or RMM.
This allows the MSP to be able to patch remote operating systems, log in to the devices on that customer’s network, monitor for any type of anomalies with the operating systems or applications, and provide an inventory of the hardware and software on those systems. Here’s the console of an RMM. You can see that we’re monitoring a number of different systems on this client’s network. We have a file server, we have Karen’s laptop, there’s some domain controllers, and other devices.
Inside the RMM, we can monitor the status of these devices under the checks menu, you can see that we’re monitoring disk space, we’re pinging a particular device, which by the way, is not performing well. We’ve got CPU load checks, memory checks, and other checks that we’re performing to that device. As you can imagine, the attackers would love to have access to this RMM because that gives them a way into one of these customer networks.
This means if you’re running an RMM or you’re contracting a third party to run an RMM, you need to have the proper security controls in place. You need to be sure that you have a way to authenticate everyone who’s connecting to that RMM service and you should perform ongoing audits to make sure you know exactly who’s connecting to your network, which devices they’re connecting to, and what they’re doing on those devices once they make that connection.
Microsoft has provided another remote access method through the Microsoft Remote Assistants, or MSRA. This is very similar to running a remote desktop service on your computer. But instead of having a service that was always installed and always waiting for someone to connect MSRA is configured to provide access on demand. Another nice benefit of Microsoft Remote Assistance is that you don’t need to configure any firewalls or set up any port forwarding for this process to work.
The person who needs assistance would start Microsoft Remote Assistance, and they will choose the option to invite someone you trust to help you. If you click on that option, you can choose Save this invitation as a file, use email to send the invitation, or use easy connect if that’s available on your system. In this case, the user might save this invitation as a file and then send that invitation to the helper using another method.
The technician will receive that invitation and start their version of Windows Remote Assistance on their side, except they’ll use the option to use an invitation file which will allow them to connect. Depending on the Windows version you’re using, you might have Microsoft Remote Assistance or you might have the newer version of Microsoft Remote Assistance, which also has a new name. This is called QuickAssist and it’s available now by default in Windows 10 and Windows 11.
QuickAssist effectively streamlines those screens from Microsoft Remote Assistance, but it effectively provides the same service for the end user. One great benefit of using MSRA or QuickAssist is there’s no service that’s constantly running in the background. This means that you don’t have to worry about somebody gaining access to your system without authorization and you don’t have to worry about configuring port forwarding or any firewall rules.
If we’re thinking about this from a security perspective, we probably would not send these invitations over email. Instead, we might do this over the phone and use a six digit code on both sides of the phone conversation. I personally have family members with lots of Windows machines and we use QuickAssist all the time to be able to provide remote access from wherever I happen to be in the world.
But this ease of use does have a downside. If somebody is not familiar with MSRA or QuickAssist, they might be convinced to start this process and have an attacker connect to their machine remotely. If you didn’t want to use MSRA or QuickAssist, you could use a number of third party tools to provide this remote access. Applications like GoToMyPC or TeamViewer effectively provide the same remote control functionality but from a third party application.
You might also use third party tools for video conferencing. You can use applications like Zoom and Webex to be able to have many people participate in an online conference. And many organizations are making it easier to share files among other people in the organization by using cloud based file transfer tools like Dropbox, Box.com, and Google Drive.
And if you’re in charge of managing the desktops on these systems, you’re probably using third party software to be able to manage those end user devices and operating systems like Citrix Endpoint Management and ManageEngine Desktop Central.