Finally we are almost proceeding towards the completion of the Sample I.T Security policy, we have just two more topics to cover. Coming days I will try to complete that, here we are with Remote Access Security
REMOTE ACCESS SECURITY
“IS” CONSIDERED THE FOLLOWING:
1. RAS server provides the most secure method for remote access to the network if it is reburied.
2. Never allow client computers on the network to answer remote access connections.
3. Organize all remote access servers in a centrally controlled location.
4. Servers have no need to originate dial-out connections (Except when using telephone lines as low cost WAN connections, but these connections should be relatively permanent).
5. To simplify security administration, allow only one method of remote access into the network.
6. Remote access control procedures must provide adequate safeguards through robust identification, authentication and encryption techniques.
7. Carefully consider the wisdom of providing cellular telephones and modems for use with laptop computers. This technology isn’t usually justified considering the relatively modest increase in productivity compared to the cost and the security risk of a lost laptop.
8. Consider using only the NetBEUI protocol for remote access to limit the extent of intrusions on the network.
9. Control the distribution of remote access software on the network. Never allow client computers to run remote control software. If remote control software is necessary, run the software from centrally controlled computers or thin-client servers.
10. Disable dial-in networking, except in the cases of trusted individuals or to special computers,because dial-in networking can bypass regular network security.
11. Encourage an easy-to-use (but secure, of course) method for users to indicate when they need remote access, for how long, and to which phone number. Base the dial-in permissions on these requests. Always verify the request verbally with the user to ensure that it’s not a spoof.
12. Gather contact information for the telephone companies as soon as possible so that it is on hand if dial -up hacking attempts are discovered.
13. If possible, use external modems to answer RAS connections. They can be powered off when no RAS activity is anticipated, and they allow manual disconnection if necessary.
14. If remote access is required only occasionally, set the Remote Access Server service to start manually, then use the services control panel to start the service when needed and stop it when it is no longer in use.
15. Revoke dial-in permissions for users during periods when they are not necessary, and invoke them when the user is away from the office or working from home for a period.
16. Thin client and remote control software can be more secure than remote access software in certain circumstances. For instance, an entire database could be copied down using remote access software, but that same data would be extremely difficult to extract using remote control software configured to disallow file transfers.
17. Tightly control user-based remote access permissions. Allow only those users who have an immediate need to log in remotely.
18. Use alarming software to detect numerous attempts at password guessing over dial-up networks. Use the standard performance monitor to detect this activity, or purchase third party alarming software.
19. Use callback security. Without callback security, tracing RAS based intrusion attempts is very difficult.
20. Use external modems that have on/off switches for those machines that have remote access software installed. Only turn on a modem when a user calls in and requests a remote control connection.
21. Use hard-coded callback security for all remote users that don’t normally travel, to prevent their account from being exploited from unknown locations.
22. Use Microsoft encryption when possible.
23. Use the Point-to-Point Tunneling Protocol for all Internet connections allowed into the network, or some third-party software that performs the encrypted tunnel function in concert with the firewall.