if you've ever worked in a help desk then you're probably very familiar with remote desktop connections this is when you can share someone else's desktop while sitting at your desk that user's desktop may be in the next room the next building over or the next country you're able to make this connection using a number of different utilities you might be using RDP which is part of the Microsoft Remote Desktop Protocol there are clients or applications you can run to connect to other RDP services in Mac OS Linux Windows your mobile devices and almost any other operating system there's of course open- source options available for remote desktop using VNC this is the virtual network computing it uses a protocol known as RFB or remote frame buffer there are also clients available on many different operating systems if you're using VNC for your remote desktop connection remote desktop enables any organization to support everyone in the field regardless of where they might be but scammers love to use remote desktop as well so if you find that a third party is trying to connect to you using remote desktop you might want to get a bit more information before allowing a third party access to your computer one way to tell if someone has a remote desktop service running on their system is to check available open ports the remote desktop service of course is waiting for someone to connect to that device to be able to control it if someone has an open port of TCP port 3389 then they are most likely running a remote desktop service and someone with the correct credentials would be able to connect to this device and be able to control the desktop of course someone might be running VNC or one of the many other third-party remote desktop solutions out there they're usually just secured with a username and a password this makes it very easy to perform a brute force attack so you might want to add additional authentication factors to keep anyone from connecting to your device from a remote location attackers love to take advantage of open ports for remote desktop and easy to find usernames and passwords because once they're on a system it's all theirs as if they were sitting in front of the computer physically they're able to go through all of your files they're able to connect to other sites and they're able to perform whatever they'd like to do from your machine using remote desktop if you have a mobile device or a laptop and you need to connect back to your corporate office across the internet then you're probably very familiar with a VPN this is a virtual private network and it encrypts all of the data going back and forth between you and the other device even if you're going across a public network like the internet from your device you're connecting to a VPN concentrator this is a centralized device usually it's at your point of business and everyone who needs access to your company is going to use the VPN client on their computer to connect to the VPN concentrator at your corporate office you may find that you have a single appliance or server that's configured as a VPN concentrator but these days you often find VPN concentrators built into next generation firewalls this gives you options as to how you'd like to deploy these VPN services you can build your own softwarebased VPN or you can use an integrated hardwarebased VPN that may be part of your nextG firewall some VPN concentrators require that you install special software on your client machine other operating systems have builtin VPNs and you may be able to connect to the VPN concentrator using software that's already available in Windows Linux or Mac OS here's how a VPN works visually you're the remote user at home that needs to access resources that are on your corporate network but your only connection is through the internet and you certainly don't want to send unencrypted information across that public network so you'll use VPN software on your remote device to encrypt all of the data sent across the internet and on the other side the device that is acting as your VPN concentrator will decrypt that information and send it into your corporate network for this information to get back to you we simply reverse this process so information is sent from your corporate network it hits the VPN concentrator where it is encrypted sent across the internet and it's decrypted on your local device at home we rely on VPNs to encrypt and secure all of the data that we're sending across the network this means that if someone's taking a packet capture or has some way to view the information that we're sending across the network would not be able to see any of the data since it's all encrypted over the network when you're connecting to that concentrator you're often asked for some type of authentication credentials if you're only using a username and password there is a potential that someone could perform a brute force attack to try to determine the best combination to gain access to that system this means that we often have additional multiffactor authentication that we use during this login process so we might provide a username a password and then an additional code that's provided to us from an app this ensures that only people authorized are able to gain access to this virtual private network as an administrator there may be times when you need to connect to a remote device and be able to make a configuration change at the console of that device in order to have a protected communication between your device and the remote device you would probably use SSH or secure shell secure shell is designed for terminal communication like the one you see here and it uses TCP port 22 in order to communicate this looks and feels very similar to the older Tnet protocol which runs on TCP port 23 but all of the communication used by Tnet is sent in the clear across the network if you want to have an encrypted connection to that remote device you'll always want to use secure shell there's a great deal of security built into SSH which is why it's a great utility to use for connecting to that remote terminal since all of the SSH communication is sent and encrypted there's no way for anyone to perform a packet capture and somehow determine what your username and password might be you can enhance the use of SSH by adding additional authentication options for example SSH supports the use of public private key pairs to add additional authentication for connecting to that remote device and as a best practice it's probably a good idea to disable any type of remote access to certain usernames for example the root account on a Linux machine is the super user of that device and you probably don't want people being able to log in as root by using SSH some organizations have completely removed all password-based authentication and they require a certificate to be able to authenticate to these remote devices you can enhance this by limiting who's able to connect to these remote devices based on an IP address so you might want to configure a filter or network firewall to be able to only allow access to or from certain IP address ranges many organizations have outsourced the monitoring and ongoing maintenance of their networks by using a managed service provider or MSP the MSP will often use a tool known as an RMM in order to provide that monitoring rmm stands for remote monitoring and management and this provides a way for the MSP to be able to monitor and manage all of their customers from one single console from this single console your MSP can patch operating systems log in remotely to a device monitor for any security anomalies and provide additional inventory of your hardware and software here's an example of an RMM that I've used you can see on the left side that this MSP has six different companies that they can access and right now we're looking at company 5 which has three different locations in HQ5 LA Office 5 and New York Office 5 you can see across those we're looking at the LA office right now and the LA office has a file server there's Karen's laptop there's domain controllers and a file server we can also see a status of how those devices are running and we can get detailed information about the monitoring and ongoing performance of each individual device this remote monitoring and management tool has access to many different customers from one single screen this makes it very attractive to an attacker because once they get access to the RMM they now have access to many different companies this is why access to this console should be very tightly controlled and limited to only the authorized users we might also want to require multiffactor authentication to anyone who logs into the RMM console and we might want to perform ongoing auditing to make sure that we know exactly who's connecting to our RMM console as our cloud infrastructures became larger and larger we needed a better way to remotely connect and manage these virtual machines we were able to provide that by using Spice this is the simple protocol for independent computing environments this allows us to view and control the remote desktop on a virtual machine using a very lightweight and easy to use protocol this provides a seamless remote control solution across many different operating systems running in many different virtual machines if you've ever used any type of remote control software then running a Spice protocol application is going to be very similar spice excels by having very efficient graphics rendering and very fast response times and you're able to integrate with that remote operating system by sharing the folder and clipboard between your device and the spice enabled virtual machine when you run a script in Windows you have to connect to that Windows machine run the script and then be able to see the results of that script on something like a remote desktop or remote terminal screen but what if you could send that script to a third-party Windows device have it run the script and then have all the results of that script sent back to you without directly connecting to that remote device you're able to do that by using Windows Remote Management or WinRM winrm is turned on by default on most Windows servers so all the administrator needs to do is send the script to that Windows server obviously the administrator will need to authenticate to that remote device when they're sending the script to verify that the script is trusted the script then runs on that remote server and the resulting information is all sent back to the original screen to be able to evaluate what occurred during that script i used Winrm on my local device to run a script on an external server my local device is the NACO lab server and I'm connecting to a server that's elsewhere on the network called Atlantis Lab PC i'm running a script that performs a get wmi object of all the Win32 services so this should tell me all the services running on that remote device when I send this information over it asks for authentication i add my username and my password and what I receive in return are the results of that script that have run on that remote server i didn't have to perform a remote desktop to that device or interactively connect through a console or terminal i simply used WinRM to run that script remotely you might also find a number of thirdparty tools that provide a number of different remote management capabilities for example if you need to perform screen sharing you can use Go to My PC Team Viewer or similar third-party utility if you want to be able to video conference there are many options available on the market two of the most popular are Zoom and Webex you might also find tools that allow you to easily store and transfer files between systems if you're using Dropbox Box.com or Google Drive then you've taken advantage of some of this file synchronization technology or if you're performing ongoing desktop management of a system where you're monitoring and updating those systems you might be using Citrix Endpoint Management or Manage Engine Desktop Central all of these thirdparty utilities have advantages and disadvantages but the key to all of them is making sure that we use appropriate security multiffactor authentication and limit access to only the people who are authorized