PC Remote Control: An Embedded Risk?

Legacy remote control tools are a dime a dozen. Microsoft Remote Desktop is embedded in XP. RDP, Symantec PCAnywhere, GoToMyPC, VNC or some other remote control utility usually is included in most systems management suites. Sometimes it seems that virtually every free remote control software tool available is pocketed under a “remote control” tab in the systems management suite like a handy Leatherman multi-tool, there for the tech support rep to pull out depending on the incident.

But these legacy remote access tools are severely lacking, and may expose your organization to unnecessary risks.

The source behind the deficiency of these remote access tools is commoditization. They’re free, or very near it. “Where’s the incentive to pour development resources into applications that don’t bring in any revenue?” That’s the real question Microsoft has to answer when it looks at XP’s Remote Desktop. “There isn’t any,” is the resounding answer. Systems management vendors embed remote control tools into their suites because it costs nothing to do so, and that’s the nail on the commodity coffin. Don’t expect any development on that front. Remote control has been effectively reduced to a checkbox.

Consequently, very little has been done to broaden the narrow design purpose¹ of Microsoft Remote Desktop and other remote access utilities. VNC and RDP were simply not designed for the Internet, where firewalls and other obstacles protect the network from incoming traffic. Even efforts to harden or wrap remote access software [such as VNC² ] in a secure layer have proven wanting, at least when it comes to satisfying the requirements of enterprise deployments.

Extending remote access over the Internet with one of these legacy remote software tools requires security-compromising changes on the corporate network. Sometimes it can be done, but weigh heavily the consequences.

Other risks, besides punctured firewalls, accompany the use of legacy remote access tools over the internet. Here are just a few off the top of my head:

1. The Risk of Bad Architecture
   Most legacy remote access tools follow a client-based installation. For remote access to work, a software client must reside on each remote computer or server. Here, the word legacy is somewhat relative, for even the newer, Internet-aware breeds like GoToMyPC or LogMeIn are client-based. These clients “listen” for requests for control. And they don’t always listen just to you. In the case of VNC, for example, the listener’s ears are even open to hackers.
   

   Point-to-Point Remote Access

2. Phantom Sessions in the Night
   Another liability of legacy remote access is reporting blindness. What do you know about the PCAnywhere session your newly hired technician performed on the server last night? Do you know when he accessed the system, what files were transferred, what sensitive data he saw, or even whether the technician was your employee or the guy who stole his laptop? Do you know how many remote access sessions have happened this month, or what clients and employees they involved? Because they can’t answer these simple questions, legacy remote control tools leave administrators blind to the riskiest activities of the support organization. Each session is a phantom session in the night.
3. Fragmented vs. Centralized Management
   PCAnywhere, Remote Desktop, VNC and other legacy remote access tools are also difficult to manage. The point-to-point architecture makes each technician an island unto himself and requires configuration changes to be made on a case-by-case basis. The garage IT shop usually isn’t bothered by this, but when the number of technicians scales into the hundreds, keeping track of who has remote control privileges and who doesn’t becomes difficult to manage. When you add to this the relatively high turn-over rate of support technicians, the security demands of particular customers and the growing list of regulatory requirements around sensitive data, difficult becomes impossible. Giving every support technician the same PCAnywhere login info is not the answer.
4. All-or-Nothing Access Privileges
   Legacy remote control tools have limited options for tiered access privileges. Remote control is typically all or nothing. Coupled with the three risks listed above, this can be a huge liability. What if the system is a customer’s? What if the server has other critical applications on it, or sensitive corporate data? If your legacy remote control tool is compromised, a hacker could have unfettered access over an unmediated connection that you would be hard pressed to report on or audit. The phantom session becomes a nightmare.

So what should you do with the legacy remote control software in your environment, even the kind embedded in systems management/configuration suites? There’s a strong argument that these applications are an embedded risk. If you decide not to outlaw them, their use should be severely scrutinized and limited. Better remote control options are available. Yes you’ll have to pay for them, but I’d rather do that than fund a data breach.

1. Remote desktop control within a LAN environment was the original purpose. PCAnywhere, VNC, RDP and others were conceived, or at least developed, without the internet in mind. [↩]
2. In 2005, for example, TridiaVNC made the following declaration: “After nearly four years of development, Tridia has come to the conclusion that VNC, including its many commercial versions, is unsuitable for deployment in a business environment.” http://www.tridiavnc.com/ [↩]