By Keren Pollack, on March 25th, 2020

The new reality demands from organizations to be creative to continue running the business. Having the ability to allow employees to work from home is becoming essential for business survival. Even organizations that used to have remote employees routinely, need to expand their infrastructure in order to contain the increased remote workers.

 

Although this advanced ability is saving a lot of the organizations, security-wise, it exposes the organization’s network to major security threats that can alone sabotage the entire business functionality. Most of the focus in this situation is concentrated around VPN security, which is with no doubt important. But many weak links are left unsolved, and can easily be leveraged by attackers to access and affect the entire network.

 

The security of remote access servers, such as VPN gateways and portal servers, is particularly important because they provide a way for external hosts to gain access to internal resources.
In addition to permitting unauthorized access to enterprise resources and telework client devices, a compromised server could be used to eavesdrop on communications and manipulate them, as well as a “jumping off” point for attacking other hosts within the organization.  Remote access servers should be kept fully patched, hardened with an organization-defined security configuration
baseline, and managed only from trusted hosts by authorized administrators.

 

This article will focus on specific hardening actions that are relevant to each remote connection method. Neglecting the infrastructure from a hardening perspective can be disastrous and attackers already understand the potential of those vulnerabilities.

We’ll go through the main three remote connection methods and their specific hardening recommendations:

 

VPN Gateway:

In common use of enterprises, large and medium organizations.

This method is basically an accelerated remote access solution that brings together SSL VPN, security, application acceleration, and availability services. This solution combines access policy, One-Time Password, Web interface, and load balancing. It should provide security tunneling from the endpoint to the gateway. The gateway connected also with the organization Directory Services. After the gateway, the user will redirect to a terminal server/VDI machine/ published applications/ physical machine or combination between all.

After passing the gateway, the user is redirected to a terminal server/VDImachine/ published applications/ physical machine or a combination of those.

 

The usual process:

  1. A user connects through the https/SSL site to the organization’s gateway. The VPN Gateway will provide the service only to known IPs, and it will check prerequisites such as security settings (antivirus, hotfixes etc.)
  2. The user provides his AD credentials and a VPN Gateway’s pin
  3. The user provides digital One Time Password (OTP) or a physical device OPT password
  4. The VPN gateway allows or disallows the entrance. If the user is approved, it’ll allow him to jump into Citrix/ VMWare horizon servers. The transfer to the Citrix/VMWare servers is performed by either a VDI machine or a published application like restricted remote desktop services applications
  5. The user jumps to another VDI server or to a physical workstation and gets access to the organization’s network.

 

Remote Desktop Software:

Mostly used by Medium, SMB organizations or individuals.

It allows a user to seamlessly connect to and interact with a computer in another location via an internal network or the Internet. Remote desktop software enables the user to see and control a connected PC or laptop as though they were sitting directly in front of it. Remote desktop software is helpful for things like collaborative work, technical support, and demonstrations. This connection basically allows per to per connection between two endpoints in a relatively secure way.

 

Remote Desktop Connection:

Mostly used by SMBs and individuals. This is a pure per to per connection using an RDP protocol. The RDP’s security position is depended on the hardening policy implemented.

 

 

All three connection methods may impose the organizational network to major threats. Here are hardening issues you need to consider:

 

Hardening VPN Gateways:

VPN gateways, generally act as intermediaries between telework devices and the organization’s internal computing resources.

Both VMWare and Citrix are services running on Windows Server platforms, therefore they are subject to the OS attack surface. Having an unhardened OS that is also exposed to remote users is a major security flaw.

 

It is very common to see administrators disabling services to optimize the end-user experience, but often neglect the security aspect of it. Organizations should carefully consider the security of any solutions that involve running a remote access server on the same host as other services and applications.
Such solutions may offer operational benefits, such as equipment cost savings, but a compromise of any one of the services or applications could permit an attacker to compromise the entire remote access server.

Placing the remote access server on a separate, dedicated host reduces the likelihood of a remote access server compromise and limits its potential impact.

 

In addition, the same hardening techniques used for securing your common Windows Server infrastructure should be used here. Hardening should be implemented both in the operating system level and at the services level (Citrix, VMWare, VDI).

NIST 800-53 Server Hardening perspective

Hardening Remote Desktop Server:

The Remote Desktop Server is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection. User interfaces are displayed from the server onto the client system and input from the client system is transmitted to the server. It is used as a true endpoint for remote access communications.

 

When hardening the Remote Desktop Server functionality versus security should be seriously considered, because almost every function that the remote user is allowed to do can be leveraged into an attack vector. Redirection functionalities can impose a major threat to the network when used by a malicious user, thereby redirection privileges should be considered before enabled. For a full RDP Hardening Guide click here.

 

This just the tip of the ice. CalCom is here to give advice that will help you to adjust to the new reality requirements. Don’t hesitate to contact us for consultation.

server hardening- where to begin