Remote Access Security Best Practices
Remote access to the corporate network infrastructure is common today. One reason is the increase of remote work during the pandemic. But even users who are not fully remote often require remote access: employees who travel, third-party service providers, supply chain vendors, business partners, security auditors and more.
To maintain security, organizations need to ensure that these diverse stakeholders have seamless access to exactly the applications and data they need to do their work. That requires a robust access control strategy. To help, this article explains the key best practices to secure remote access.
1. Enforce least privilege for remote access
Begin by conducting a thorough risk assessment to identify and analyze potential risks and vulnerabilities of your current remote access practices. In particular, be sure to:
- Conduct a thorough review of all permissions, with the reviews carried out by individuals who know which users need access to which resources. In particular, look for individuals who have remote access privileges but do not actually need them to do their work. Eliminate all excessive and unused rights in accordance with the least-privilege principle.
- Identify and disable all stale or inactive user accounts.
- Maintain a minimal number of privileged accounts, as they are prime targets for threat actors.
- Ensure that NTFS permissions and permissions to shared resources like SharePoint, SharePoint Online, OneDrive for Business and Teams follow the least-privilege principle.
- Minimize the attack surface of servers and other critical systems by deactivating or removing unneeded network services or features.
- Use Active Directory and Azure AD groups to control access across your infrastructure. Regularly review your groups, their permissions and their membership to make sure no one has excessive permissions. Disable “everyone” and “anonymous” access in all instances.
2. Secure your organization’s authentication process
Using just passwords to authenticate users increases an organization’s risk of data breaches because passwords can too easily be compromised by adversaries using brute-force attacks, phishing and social engineering tactics. To more reliably confirm the identity of remote users, follow these best practices:
- Configure a strong password policy. Ensure that the requirements for length and complexity make passwords challenging for attackers to guess.
- Implement an account lockout policy to shut down attackers attempting to infiltrate your network through repeated password guesses. However, set the threshold number of failed attempts at a balanced level to avoid undue frustration and productivity loss for legitimate users who may occasionally mistype their passwords.
- Deploy a password manager to enable users to securely store and manage their credentials.
- Implement multifactor authentication (MFA). Two factor authentication is the simplest form of MFA; it requires users to verify their identity in two ways to gain access. Options for MFA include something you know (such as a password), something you have (like a code from a security token or mobile app notification), and something you are (biometrics like fingerprints or facial recognition). MFA should be implemented for all remote privileged access and all virtual private network (VPN) connections.
3. Harden your devices
Reducing the attack surface of devices used for remote access to company resources is crucial to avoiding security incidents. Best practices include the following:
- Ensure that all operating systems and applications are still receiving vendor support. Replace any software that has reached end-of-life (EOL) status.
- Keep all operating systems, firmware and software applications up to date and fully patched against known vulnerabilities.
- Install endpoint detection and response (EDR), antivirus, anti-malware and other endpoint protection software.
- Configure the local firewall for all devices according to best-practice standards.
- Use a mobile device management (MDM) solution to empower IT administrators to remotely configure devices and lock and wipe any device that is lost or stolen.
- Review your Group Policy to ensure that the correct security settings and policies are being applied to domain-joined machines.
- Shut down or uninstall unused network services and unnecessary applications.
4. Restrict the use of RDP
Avoid using Remote Desktop Protocol (RDP) because it is a prime target for attackers looking to gain access to corporate systems. If you must use RDP, remember these rules:
- Prohibit direct RDP access from external networks. Instead, mandate a VPN connection as the initial step, followed by connecting to the target internally via RDP.
- Restrict RDP to a list of approved IP address and user accounts.
- Enable Network Level Authentication (NLA), which helps secure remote desktop connections by requiring RDP clients to authenticate before establishing a session. NLA also helps protect against man-in-the-middle attacks.
5. Encrypt all company data
Enable local encryption on all devices to help ensure the confidentiality and security of data both at rest and during transmission during remote access. Options include BitLocker for Windows and FileVault for Mac OS.
6. Enforce Zero Trust for network access
Zero Trust is a security model based on the principle that no entity should be trusted by default; instead, every request to access resources needs to be assessed for potential risks and can require an additional verification step. Implementing Zero Trust improves remote access security by helping to ensure that intruders who manage to slip into the environment are blocked.
7. Perform continuous auditing
To promptly spot and respond to threats, organizations need to closely monitor activity across the environment. Follow auditing best practices in each of these areas:
- Configuration auditing — To ensure that the configuration of all critical resources matches your security baseline, you need to audit all configuration changes for errors and malicious activity.
- Access auditing — Monitor logons to both cloud and on-prem resources, as well as VPN logons. A spike in failed logon attempts and other unusual activity can be a sign of threats in progress.
- Activity auditing — Monitor user activity around sensitive information, including data in cloud solutions that support remote workers, such as SharePoint Online, OneDrive for Business and Teams. For example, changes to group membership and permissions could indicate privilege escalation. Also be on the lookout for suspicious spikes in activity around your network ports and VPN connections, especially port scans and failed login attempts, which could be a sign of password-spraying or other brute-force attacks.
8. Provide security training for all users
Investing in threat awareness training can significantly enhance your remote access security posture. Educate all users, whether they’re remote or in the office, on your cybersecurity policies and how they are grounded in best practices. Keep them updated on evolving threats, and teach them to recognize phishing and social engineering attempts and how to report them. Be sure to follow up with testing, such as simulated phishing attacks, and address any weaknesses you uncover.
Conclusion
Modern organizations need remote access for employees and third-party users alike. However, they need to keep their environment secure. By following the best practices detailed here, you can ensure strong security without sacrificing the flexibility and agility that remote access offers.