Work from home: securing RDP and remote access

As work from home is the new norm in the coronavirus era, you’re probably thinking of enabling remote desktop connections for your off-site-staff. Here ‘s how to do it securely.

By Aryeh Goretsky & Cameron Camp

Accessing your servers’ or workstations’ desktops remotely is a great way to manage them. It’s also a huge target for hackers.

For example, if hackers can gain access to the administrator login to your Domain Controller, they effectively own your Windows infrastructure and can quickly wreak havoc on your organization. From sending corporate emails to accounting departments and books, to siphoning off your company’s intellectual property, to encrypting all your company’s files and holding them for ransom, hacks on Remote Desktop Protocol (RDP) can be very bad.

In this context, although we will mainly say “RDP”, we mean all kinds of remote desktop and remote access software, including VNC, PC Anywhere, TeamViewer and so forth, not just Microsoft’s RDP. The good news is there are many defenses against RDP attacks, starting with turning it off. If you don’t really need remote access, the ‘off’ switch is the simplest.

If you do need to allow such access, there are a variety of ways to restrict it to the good guys:

First off, allow access only from internal IP addresses coming from your company’s VPN server. This has the added benefit of not exposing RDP connection ports to the public internet.

Speaking of exposing ports, if that’s your only choice, you may want to serve up RDP on a non-standard port number to avoid simplistic worms from attacking your network through its RDP ports. Keep in mind, though, that most network scanners check all ports for RDP activity, so this should be viewed as “security through obscurity”, since it provides practically no additional security against modestly sophisticated attackers. You will have to be extremely vigilant about reviewing network access and login activities in your RDP server logs, as it may be more a matter of when and not if an attacker accesses your network.

RELATED READING: COVID‑19 and the shift to remote work

Second, make sure to enable Multi-Factor Authentication (MFA) for remote users as another authentication layer, which we discussed in Work from home: Improve your security with MFA.

Third, whenever possible, only allow incoming RDP connections from your users’ public IP addresses. The easiest way for remote employees to look up their public IP address is to search Google for What is my IP address and the first result will be their IP address. Then your remote workers can provide that information to your IT/Security staff so that your company or organization can build a whitelist of allowed IP addresses. It is also possible to build a whitelist of allowable IPs by allowing their subnet, since dynamic home IP addresses would normally still fall within a subnet after a router reboot or other network maintenance on the client end.

Even if you secure your RDP access, there has recently been a flurry of exploits against it, so make sure it’s patched to the current secure level to avoid issues. More information on securing RDP can be found in It’s time to disconnect RDP from the internet.

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.

Have you backed up your smartphone lately?

With World Backup Day upon us, we walk you through the ways to back up your iPhone or Android phone so that your personal information remains safe.

by Amer Owaida

In your pocket, you carry a supercomputer that outperforms all the tech that landed Aldrin and Armstrong on the moon. Although you may have heard this claim before, it probably never really resonated with you. Now, if we rephrase that to “you carry a device in your pocket that stores almost every aspect of your life, from memories in the form of photographs to personal notes, reminders, passwords and all kinds of sensitive data”, suddenly it feels a bit more personal.

What if your phone gets locked up by a ransomware attack, stolen, bricked or even destroyed? Would you lose everything on it, or do you back it up regularly?

If you don’t back up your phone regularly, then you should start right now. And since we are celebrating World Backup Day today, we’re going to walk you through the ways to do it on both iOS and Android-powered devices.

Backing up your iOS device

When backing up your iPhone, or any other device running iOS, you have two main options to choose from. The first option is storing a backup of your device on your computer or on removable storage connected to it. If you are running macOS Mojave or an earlier version or Windows, the process is the same and uses iTunes. First of all, you’ll have to install Apple’s iTunes software onto your computer, since you will not be able to manage your device without it (Macs have it installed by default). If you’re running macOS Catalina, then instead of iTunes you’ll find the option in the Finder.

To start the process, connect your device to your computer, using the lightning cable you usually use to charge your device.

You will get a prompt to unlock your device, using your preferred method (FaceID, TouchID, code). You may also be prompted to choose to Trust This Computer so your device can sync with it without a problem.

You then click on your device in iTunes or in Finder depending on your operating system and proceed with the whole process. For an extra layer of security, you can choose to encrypt the backup that will be locally stored on your computer. Now just click on the Back Up Now button and you’re set to go. While you’re at it you can also choose to back up your most important data to your iCloud.

This leads us to the other available option, and that is backing up your iPhone to your iCloud straight from your device. Go to the settings on your device and tap on your name and then tap on the iCloud button. Now toggle the iCloud Backup button to turn it on and then press the Back Up Now option.

Read the complete article here:

https://www.welivesecurity.com/2020/03/31/have-you-backed-up-your-smartphone-lately/?utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+eset%2Fblog+%28ESET+Blog%3A+We+Live+Security%29

Work from home: videoconferencing with security in mind

With COVID-19 concerns cancelling face-to-face meetings , be aware of the security risks of videoconferencing and how to easily overcome them

By Tony Anscombe

At the time of writing one-third of the world’s population is enduring restricted movement to stem the spread of COVID-19. The lockdown has driven huge swaths of the working population to become remote workers, many for the first time. The sudden surge in employees, students, teachers, and many other professionals working from home is driving a huge increase in demand for videoconferencing, online collaboration tools and chat systems.

On March 11^th, Kentik (a network operator based in San Francisco) reported a 200% increase in video traffic during working hours in North America and Asia, and this was before the official lockdown in California or other locations took effect.

Last week UK Prime Minister Boris Johnson shared a picture of himself chairing a cabinet meeting via the Zoom app, demonstrating social distancing even in the highest levels of Government.

The decision was a wise one as he has since tested positive for the coronavirus. However, a meeting at this level over a public conferencing system raised questions about security and the UK’s National Cyber Security Centre confirmed there was no security reason why conversations below a certain classification could not take place this way.

If a UK Government meeting is authorized to be held online using a freely available videoconferencing tool, then companies forced to quickly adapt to employees working from home can probably do so with some confidence. However, that does not alleviate the need to understand the built-in security and the need to control how videoconferencing is conducted by using the features available.

Below we outline some key considerations.

Work environment

Check your environment to ensure that the video stream you are sharing does not contain sensitive information. A whiteboard behind you may have the remnants of a previous meeting, make sure all confidential or sensitive material is removed from the camera’s scrutiny. And while we’ve probably all laughed at cute viral videos of pets or toddlers entering a streaming video interview or meeting, consider the effects such interruptions could have on your meetings and ensure suitable mitigations are in place before starting your meeting.

Control access

Most videoconferencing platforms allow for the creation of groups of users or the ability to restrict access by internet domain so only users with an email address from your company would be able to join the call. Alternatively, only allow attendees that are invited by adding their email addresses to the invite when scheduling the call.

Set a meeting password, typically an option when creating the meeting, which adds a randomly generated password that invitees will need to input. A numerical password can be used to authenticate users who connect by phone. Do not embed the password in the meeting link.

Holding participants in a “waiting room” and approving the connection of each one gives the host ultimate control over who is in the meeting. To handle this for larger meetings you may be able to promote other trusted attendees to an organizer or moderator role.

Communication and file transfers

Enforce encrypted traffic. Do not take it for granted that systems have this option enabled by default for video communications. Some services encrypt chat by default but not video unless specifically requested.

If third-party endpoint client software is permitted, then ensure it complies with the requirements for end-to-end encryption.

If file transfers are needed, then consider limiting the types of files that can be sent; for example, don’t allow executable files (such as .exe files).

Manage engagement and attendees

It’s easy to get distracted on conference calls, email and other notification pop-ups and migrate your attention to the content rather than the call in-hand. The host, depending on the platform, may have the ability to request notification when the conferencing client is not the primary (active) window. If you’re a teacher, then this feature may be extremely useful if you want to ensure the attention of all your students.

Monitor who joined the call, either by enforcing a registration process to connect or by downloading an attendee list after the call. This is also likely to include the connect and disconnect time, showing whether the user was engaged for the whole call.

Screen sharing

Limit the ability for screen sharing to the host, or to a person the host selects. This removes the possibility of someone sharing content by mistake.

When screen sharing, only share the application needed, as opposed to the whole desktop. Even an icon or name of a file on a desktop can give away sensitive company information.

Apple’s iOS takes screen snapshots used when task switching between apps. To protect against this inadvertently including the capture of sensitive information, check to see if the conference system can blur this image.

Forewarned is forearmed

Take the time to step through all the options in the settings of the videoconferencing system you may already have or are thinking of using. As you can see from the snapshot of considerations above, there are many settings and finding the right configuration for your environment is an important task to undertake to ensure company communications remain secure.

Lastly, check the privacy policy of the service you are using. The adage that ‘if it’s free, you’re probably the product’ should be enough motivation for you to check whether the company is collecting, selling or sharing your data to fund the provision of its ‘free’ service.

If you want to learn more about the increased cybersecurity risks associated with teleworking, as well as about ways to counter them, you may want to read these articles:

COVID-19 and the shift to remote work
Work from home: How to set up a VPN
Work from home: Improve your security with MFA

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.