Between cloud storage and smart devices, remote access to various services has become a mundane fact of life. Remote access empowers software developers and system administrators to manage technical infrastructure without requiring physical access to the server, which supports cloud-based services. Remote desktop solutions can also aid remote users with troubleshooting. Remote access offers a powerful tool for configuration and system management beyond on-premises infrastructure, but it also introduces new risks around unauthorized access and unsecured networks.
What is remote access?
Remote access refers to the process of controlling software or an operating system from another system remotely. It's commonly used for computing devices but can also be accomplished with a mobile device (such as controlling your Internet of Things devices from your smartphone).
The User's Guide to Telework and Bring Your Own Device (BYOD) Security portion of NIST Special Publication (SP) 800-114 defines remote access as "the ability of an organization's users to access its non-public computing resources from locations other than the organization's facilities." Remote access enables workers to connect with the organization's network, and it can also provide a connection back to the worker's device if needed.
This article focuses on the latter function to facilitate remote connections, which is typically performed with the aid of the remote desktop protocol. There are a variety of frequently used remote desktop protocols, including Apple Remote Desktop Protocol (ARD) and the Windows-specific Remote Desktop Protocol (RDP). Remote desktop protocols provide the user with remote access to another device, typically allowing the user to perform actions on the remote device from their device. This type of remote access is often used for administration on a cloud server, as well as IT support for distributed employees. Remote sessions might include configuration and troubleshooting for a remote computer. For more information on remote access security, review NIST SP 600-46 Guide to Enterprise Telework, Remote Access, and BYOD Security.
Organizations use virtual private networks (VPNs), remote system control, and browser-based applications to enable worker access to company networks. System administrators typically use Secure Shell (SSH) to connect to cloud-based web servers, and different cloud technologies may have specific ports in use for remote configuration. Remote access solutions are available for a variety of needs, and some commonly used tools include Apple Remote Desktop, Microsoft Remote Desktop, Any Desk, Citrix Virtual Apps, Digi RealPort, Intelligent Platform Management Interface (IPMI), OpenVPN, pcAnywhere, RealVNC, Secure Shell, and TeamViewer. For more information on VPN security recommendations, review the Guide to IPsec VPNs in NIST SP 800-77 and the Guide to SSL VPNs in NIST SP 800-113.
While remote access is a useful tool that makes possible globally distributed teams, remote work, and cloud infrastructure, it is not without its risks.
Remote access exposure risks
Threats and vulnerabilities impacting remote access devices and technologies may result from weaker protection standards or use on an unsecured network. Whether through an employee connecting to organizational tools on a public network or an insecure port allowing unauthorized access to sensitive data, it is critical that you set security protocols around any remote access connections.
If remote access is not secured, then your organization may experience malware attacks, security breaches, and potential data loss. A cybercriminal could navigate through an exposed port to upload a remote access trojan that would compromise your data integrity. The hacker could take control of your server or other configuration tooling through the open port for your remote desktop app. If remote login credentials are weak or reused across devices, then the likelihood of captured data and brute force attacks increases.
To identify potential open port risks among your remote access functionality, you can use an automated scanning tool like UpGuard BreachSight. Automated port scanning evaluates your assets with continuous monitoring and vulnerability management. Among a variety of port-related findings, BreachSight identifies the following port risks for commonly used remote desktop software:
- 'SSH' port open
- 'Apple Remote Desktop' port open
- 'Apple RemoteDesktop VNC' port open
- 'Remote Desktop' port open
The Secure Shell protocol (SSH) provides a secure method for accessing and managing a separate system and is often used for remote login and command-line execution on a remote server. SSH uses port [.rt-script]22[.rt-script] by default. The 'SSH' port open finding identifies whether port [.rt-script]22[.rt-script] is exposed to the public internet.
Apple Remote Desktop (ARD) enables remote monitoring and control for Mac devices, including iOS devices. For TCP (Transmission Control Protocol), ARD uses port [.rt-script]5900[.rt-script] for control and observation, port [.rt-script]3283[.rt-script] for reporting, and port [.rt-script]22[.rt-script] for file transfer through an SSH tunnel. With UDP (User Datagram Protocol), ARD uses ports [.rt-script]5900[.rt-script] and [.rt-script]3283[.rt-script]. An attacker can gain control of the system through an exposed port, so access to the ARD service should be limited to trusted users and restricted to known IP addresses. Granting Virtual Network Computing (VNC) access with ARD empowers the VNC user to control the screen. For both the 'Apple RemoteDesktop VNC' port open and 'Apple RemoteDesktop VNC' port open findings, evaluate access through the principle of least privilege.
For Windows operating systems and other open-source systems like Linux, the Remote Desktop Protocol (RDP) provides remote desktop connections to RDP-supported systems. RDP uses port [.rt-script]3389[.rt-script] by default, though you can change the listening port. Like the ARD findings, the 'Remote Desktop' port open finding indicates that the RDP port is publicly accessible, which could allow cybercriminals access to your system. Evaluate whether the port can be limited to internal networks and VPNs.
BreachSight also identifies remote access software-specific tools, such as the following:
- 'Citrix ICA' port open
- 'Digi Realport' port open
- 'IPMI' port open
- 'PCAnywhere Status' port open
- 'TeamViewer' port open
An alternative to Microsoft RDP, Citrix Independent Computing Architecture (ICA) is a proprietary system in use with Citrix Virtual Apps and Desktops. Citrix Virtual Apps and Desktops offers virtual desktop infrastructure (VDI), so remote access is an important feature. Citrix ICA uses port [.rt-script]1494[.rt-script] but can also be part of the Common Gateway Protocol on port [.rt-script]2598[.rt-script]. To prevent unauthorized access and network disruption, the ICA port should be limited to internal networks and VPN access. If you do not use the ICA service, disable the port entirely.
Digi RealPort provides COM redirection for devices that do not typically have a serial port but need to be enabled on your network. RealPort includes options for encryption and TLS connection, though each needs to be configured independently. RealPort uses port [.rt-script]771[.rt-script] by default on the Digi device in use and sets additional ports for the communication channels. If you receive the 'Digi Realport' port open finding, then you know that the port in use is publicly accessible. You can implement an access control list in your firewall to control how traffic navigates the port.
If you use the Intelligent Platform Management Interface (IPMI) for platform management, ensure that you have set strong access control parameters and restricted traffic so that only authorized system administrators on a private network can configure the baseboard management controller (BMC). Otherwise cybercriminals can bypass security controls, install a new operating system, and access data through the IPMI. BMCs are a high-value target for cybercriminals, so take caution around IPMI port exposure and the 'IPMI' port open finding. IPMI typically runs on port [.rt-script]623[.rt-script], which can be probed quickly if exposed. If the port needs to remain open, ensure that you have updated the administrator credentials to a strong password.
Like the name suggests, pcAnywhere enabled a user to access a computer from anywhere using the software. The pcAnywhere software reached its end-of-life in 2014 following security issues and hot fixes in its final years. For UDP, pcAnywhere uses ports [.rt-script]22[.rt-script] and [.rt-script]5632[.rt-script], whereas it uses port [.rt-script]5631[.rt-script] for TCP. Because pcAnywhere has been discontinued and no longer receives updates, the port should be closed. If your organization is still using pcAnywhere for remote access, you should immediately switch to another provider.
TeamViewer provides remote access and control for computers and other endpoints. It uses ports [.rt-script]5938[.rt-script], [.rt-script]443[.rt-script], and [.rt-script]80[.rt-script] for connections. Port [.rt-script]5938[.rt-script] is the preferred port for both TCP and UDP connections, with [.rt-script]443[.rt-script] and [.rt-script]80[.rt-script] providing fallback TCP connections. Like other remote access connection ports, access to Teamviewer should be routed through a VPN and restricted to trusted IP addresses.
BreachSight also identifies port routing for commonly used VPNs:
- 'IKE VPN' port open
- 'OpenVPN' port open
The Internet Key Exchange (IKE) protocol provides a secure tunnel for VPN communications. IKE is a standard protocol with two versions available. IKE operates over UDP, using port [.rt-script]50[.rt-script]0. When paired with NAT-traversal, it may also use UDP port [.rt-script]4500[.rt-script]. If you plan to use Layer Two Tunneling Protocol (L2TP), you will also need port forwarding on UDP port [.rt-script]1701[.rt-script]. Because a VPN provides endpoint communication tunnels, access should be restricted to trusted IP addresses and otherwise closed to the public internet.
OpenVPN provides a secure, open-source VPN, using encryption ciphers from the OpenSSL library. By default, OpenVPN uses TCP port [.rt-script]443[.rt-script] and UDP port [.rt-script]1194[.rt-script] with a recommendation for UDP. The 'OpenVPN' port open finding indicates whether your use of OpenVPN is publicly accessible. If your OpenVPN system is misconfigured, unauthorized users could access private resources on either end of the VPN tunnel.
If you identify these exposed ports or are otherwise concerned about your use of remote access technologies, you can implement cybersecurity measures to protect your attack surface.
How to secure remote access tools
As you consider security precautions around remote access, ask two questions:
- Who needs to use remote access tools?
- What kind of remote access does that person need?
You may find that most workers do not need full use of remote access and control tools. A strong firewall policy and use of a VPN could serve most of your team. For those who do need the ability to connect and manage the infrastructure, you can set policies around usage and configuration settings.
In addition to necessitating strong password requirements for all employees, you can implement firewall and VPN tunnel rules to restrict access to remote configurational controls. Use identity and access management tools that require authentication for additional security layers. You can likewise require that team does not conduct remote control sessions from public internet networks, limiting access to trusted IP addresses for your remote support team.
Any configuration settings should be audited regularly, and connection traffic should be monitored to ensure expected usage. Stay apprised of any software vulnerabilities impacting your tool chain using an automated scanning solution. You can test your remote access security policies by following NIST SP 800-115 Technical Guide to Information Security Testing and Assessment.
How UpGuard can help
UpGuard BreachSight helps you understand the risks impacting your external security posture. With our user-friendly platform and real-time data, you can view your organization’s cybersecurity at a glance and communicate internally about risks, vulnerabilities, or current security incidents.
To learn more about your particular domain's practices in relation to these exposed port findings and other security concerns, access your Risk Profile in BreachSight to search for each finding by name. Once you have identified concerns, you can manage your remediation process within UpGuard as well. You can reach out to our customer support team to investigate and verify any findings that have been identified for your assets.
If you're not a current UpGuard user and you want to review your public-facing assets for these findings and more, sign up for a trial.
