Administration

Netop Remote Control Secure remote control and support for workstations, servers, embedded systems and mobile devices.
Netop OnDemand Netop OnDemand provides immediate web-based help desk service for any support request regardless of location, networks, or firewalls
Netop Mobile and Embedded Provide a swift and secure solution for managing POS systems, mobile devices, handheld terminals and embedded systems to minimize downtime
Remote Access for Embedded Systems Netop has developed a secure communication tunnel for running specific applications and managing remote systems on non-graphic and embedded systems without the need to transfer the screen data and interact with the keyboard and mouse
Netop NetFilter Block inappropriate Web sites and stop unwanted downloads, with NetFilter, the Web filtering software that delivers reliable, continuously updated Internet protection for schools and businesses.

Why do over half of Fortune 100 companies use Netop Remote Control? Because it is the most secure, trusted and scalable remote support software on the market today.

Download a free trial

SANS Webcast: Remote Administration & Compliance security

In this webcast, a SANS security analyst will discuss how to identify the security risks associated with remote administration tools and how to deal with the requirements of regulatory compliance. Learn how to meet the security challenges with remote access, as well as ways to use roles and privileges, authentication, encryption, patching and logging to achieve a compliant remote access program.

Whitepaper Available: If you would like the whitepaper that is introduced in this webcast, click here to send an email to Cindy at Netop.

This content requires the Adobe Flash Player. Get Flash MP3 audio version "SANS Security Analyst Webcast: Remote Administration & Security Compliance"View the slide content:

Remote Administration: Compliance & Security Challenges & Advice

SANS Security Analyst Webcast

Speakers
Dave Shackleford, Voodoo Security and SANS
Kent Madsen, CTO at Netop

About SANS.org
SANS is a non-profit, cooperative research and education organization providing training and thought leadership to security professionals. Since 1989 SANS has established itself as the world leader in information security training and offers over 400 training courses and 1,800 original research papers free of charge to security practitioners all over the world.

Remote Administration Tools

* Most organizations use some types of remote admin tools

* Some are built-in

* Microsoft RDP

* SSH or Telnet

* Others are freely available

* VNC

* Most have shortcomings

* Scale

* Security features / management

Cross-Platform Coverage?

* Most organizations are using a variety of different OS platforms

* MS Windows

* Unix / Linux

* Mac OS X

* Many tools don?t cover all of these easily or capably

* Embedded systems like POS terminals or ATM machines are not usually covered, either

Remote Admin Risks

* Often administrator or superuser access via remote admin tools

* Too much access may be granted to diverse groups:

* Employees

* Contractors

* Vendors

* Many remote admin tools are lacking in security features

* Compliance can be difficult to meet or maintain

Use Case Examples

* Vendors can access networks remotely for troubleshooting or support

* More remote/branch offices that need support from a central IT team

* Kiosks, POS terminals, and ATM machines and other banking equipment may have embedded operating systems needing support

* Teleworkers

* IT staff remotely connecting inbound via handheld devices

What?s the big problem?

* Many of these systems being accessed store, process, or transmit sensitive data

* This means they are in scope for PCI DSS and other compliance mandates

* Even more importantly ? these systems need strict security controls to protect the data!

* Remote admin security should have layers for defense-in-depth

Control Areas for PCI DSS

* Remote admin tools should have a number of security controls available covering the following areas:

* Encryption

* Roles and Access Privileges

* Strong Authentication

* Patching

* Logging and Auditing

* Let?s explore each of these

Encryption

* PCI DSS 2.0 Requirement 4:

* Encrypt transmission of cardholder data across open, public networks

* Strong encryption is required

* Requirement 4.1: Use strong cryptography and security protocols (SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

* This applies to many remote admin scenarios

Strong Encryption in Remote Admin Tools

* Many remote admin tools lack:

* Strong encryption algorithms

* Adequate key management capabilities

* Example: Microsoft RDP

* Low Security is 40-bit RC4

* High Security is 128-bit

* No simple way to create or customize keys

* Example: TightVNC

* 56-bit DES for password encryption

* All other traffic is unencrypted

Remote Admin Encryption: Key Exchange & Message Integrity

* PCI DSS 2.0 Requirement 4.1.b states:

* Verify that only trusted keys and/or certificates are accepted

* Secure key exchange should use Diffie-Hellman or another trusted method

* Message integrity should be verifiable with trusted hashing algorithms

* MD5 and SHA-1 are no longer considered secure

Roles and Access Privileges

* PCI DSS 2.0 Requirement 7.1.1 states:

* Restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities

* Often, remote admin tools cannot provide granular privilege control

* Requirement 7.1.2 is related:

* Assignment of privileges is based on individual personnel?s job classification and function

Roles and Access Privileges (2)

* Systems may require remote access for multiple groups with different roles

* Example: IT Support and Vendors

* Requirement 7.2 states:

* Establish an access control system for systems components with multiple users that restricts access based on a user?s need to know, and is set to ?deny all? unless specifically allowed

* Most remote admin tools do not start with ?Deny All? ? quite the opposite!

Strong Authentication

* Strong authentication is critical to ensure only authorized users access sensitive data and systems

* PCI DSS Requirement 8 has several sections that address this:

* 8.1: Assign all users a unique ID before allowing them to access system components or cardholder data

* 8.2: In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users:

* Something you know, such as a password or passphrase

* Something you have, such as a token device or smart card

* Something you are, such as a biometric

* 8.4: Render all passwords unreadable during transmission and storage on all system components using strong cryptography

Strong Authentication in Remote Administration

* Let?s break this down:

* Unique user IDs:

* Most remote admin solutions use a single user account, often an admin

* Multi-factor authentication:

* Just a username is not nearly enough

* Passwords, biometrics, smart cards, etc provide another layer of security

* Encrypted Passwords:

* Critical to prevent eavesdropping and hijacking attacks

PCI DSS May Require 2-Factor Authentication

* PCI DSS Requirement 8.3 states:

* Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties

* For many remote access scenarios, this will be required

* This will be more than just a password

* Usually a hardware/software token, smart card + certificate, etc.

Patching

* Patching is a fundamental best practice in IT Operations and Security

* PCI DSS Requirement 8 states:

* 6.1: Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release

* If remote admin software is installed, it is required to be patched and maintained

* Many remote admin tools do not provide timely patches or simple management for patching

Logging and Auditing

* Generating and maintaining a solid audit trail is another core tenet of information security

* Often a specific component of compliance mandates, as well

* PCI DSS Requirement 10:

* 10.2: Implement automated audit trails for all system components

* 10.5: Secure audit trails so they cannot be altered

* 10.5.2: Protect audit trail files from unauthorized modifications

* Remote admin software needs to generate informative logs

What needs to be logged?

* PCI DSS Requirement 10.2 specifies the following events that should be logged:

* All privileged user access

* Invalid logical access attempts

* Individual access to cardholder data.

* Remote admin logs should log, at a minimum, the user name, time and date, and activity

* Especially failed operations

What does secure, compliant remote admin look like?

* A simple example:

* ACME Corp:

* Yes, they make widgets

* 200 retail locations (POS)

* 5 IT Support staff at HQ

* 30 teleworkers (Mac and Windows)

* Level 1 Merchant for PCI compliance

* They need a solution that is easy to manage and maintain from a central location

* Cross platform

* Security features to meet PCI compliance

Feature Requirements

* Integration with Active Directory for user data

* Ability to use pre-existing SSH keys

* Granular role definition for IT support and outside vendors support teams for POS software

* Patching that is simple to maintain

* Detailed logs that can be sent to a central Syslog server and SIEM

Our Scenario
Remote Administration Security Compliance Scenario by Netop

Remote Administration Security Compliance Scenario by Netop

Conclusion

* Remote admin tools are key to many organizations

* Reducing travel costs

* Providing secure access for IT teams

* Many tools today do not meet security and compliance best practices, including PCI DSS

* Be sure to look closely at the security features of the tools you evaluate and use!

Questions?

Dave Shackleford, dshackleford@voodoosec.com

Kent Madsen, kfm@netop.com

Sponsored by Netop
Netop has been helping businesses with enterprise remote support and management for over 25 years. We provide a wider range of operating system support and authentication options than any other remote solution. From remote support of workstations to managing mission-critical servers, POS systems and mobile devices, no one knows more about secure remote access. If you have a question about ensuring your remote control solution meets your security needs ask the experts, ask Netop.

Country / Language

Administration

Education

Communication

All Products

SANS Webcast: Remote Administration & Compliance security

Download Free Trial

Request a Quote