Remote Assistance and Security Issues
Allowing access to files and folder on a computer is a key part of any network. To do this securely, file servers are often setup that utilize the NTFS file system; this enables an administrator to control who is and who is not allow access to data on the server. The policy can be as liberal as allowing a user full control of all files or as limiting as allowing a user only read access to one file on the server.
Windows XP utilizes NTFS and file encryption. However, all it takes is one user account with elevated privileges in combination with Remote Assistance and all the effort spent in securing files is wasted. With Remote Assistance, a Helper has full control of all the files that the Novice has access to. While it true that a Helper has to pass four different security checkpoints before they can get remote control of the computer, once in it only takes a few seconds of unmonitored control and a Helper can make disastrous changes to the computer such as installing a permanent backdoor.
The following is a list of warnings to give to your users who employ the Remote Assistance feature of Windows XP:
Never open a Remote Assistance request file without being 100% positive of its origin. It is a simple thing for a hacker to create a fake program that uses the Remote Assistance icon. If a message with the Remote Assistance icon shows up in your mail box with a message from someone you know, it may be very tempting to double click it to receive. Do not do this wantonly, as it could be a Trojan or virus that uses the same Remote Assistance icon.
Never send a Remote Assistance Invitation without a password. This is like sending someone a post card in the mail with an announcement of your intended vacation and then leaving your house unlocked. If the message, or file, ended up in the wrong hands, a malicious person could hijack the invitation and attempt to abuse the Helper status.
Be sure to use a strong password. The Internet is full of hacker programs that can be used to guess your password. To prevent a successful guess, you must create a password greater than six letters, using at least one capital letter and one number (not in the first or last letter) with an optional non-alphanumeric character (eg. hApp1ne&&, iLov3y*u). Increasing the length and varying the characters will significantly decrease the chance that your password is guessed.
Reduce the Remote Assistance Invitation time limit to as short as possible. By reducing the time window, you are also reducing the chance that your invitation is abused. The less time a hacker has to exploit the connection, the less chance you have of being hacked.
Be completely sure to whom who you are giving control. Script kiddies (pre-hackers) gain bragging rights by "owning" more computers than their friends. This makes it worth their while to attempt to socially engineer a session from you.
Never enable Remote Assistance on a security sensitive computer. Any computer that contains mission critical data should not be permitted to accept remote assistance calls. This facilitates the potential for a security breach. If assistance is necessary, an onsite support specialist with the proper clearance should be employed.
By keeping these few points in mind, you can increase the security of your Remote Desktop sessions. However, there are plenty of other problems that can arise from poorly configured settings or network connection issues. The next segment will cover several of the most common errors that a user could see and will suggest ways to fix the problems.