How to ensure the security of Remote Desktop Web connection

Remote network connection is a practical technology in enterprise information applications. It can be implemented in various ways, such as VPN and remote control tools. However, remote desktop Web connections are also one of the best. For example, many enterprises leave an interface to the enterprise intranet on the Enterprise Portal. This allows employees who are not in the company to learn about the company's information in real time and access the relevant internal systems as needed.

To put it simply, Remote Desktop Web connection is to connect to the enterprise's Web server to achieve communication with the terminal server of a specific computer. Most importantly, you do not need to install any plug-ins on the client. This makes remote desktop Web connections favored by many network administrators.

However, because no configuration is required on the client, the security of remote connection falls on the shoulders of Enterprise Web servers. Therefore, some software related to Remote Desktop Web connection provides high-level security settings. The following uses the built-in IIS plug-in of Windows2003 as an example to describe how to set the Web connection security of Remote Desktop.

1. Whether anonymous access is allowed

When considering the security of remote desktop Web connections, the first question to be considered is "whether anonymous access is allowed ". If "Anonymous Access" is allowed, select the "enable Anonymous Access" check box. By default, the system has created a public account for anonymous users during installation. Of course, you can also set the account and related permissions required by the user. Anonymous Users can also log on without using their usernames and passwords, and directly Delete the default user account and password provided by the system to access them.

If anonymous account logon is not allowed, ignore this check box. However, you need to select a specific authentication method in "user access requires authentication.

Generally, if the Web server is used by the public, "Anonymous Access" must be enabled ". However, if the public Web server also provides internal staff access to a channel within the enterprise's Intranet, the independent Web page should be taken, set it to "user access requires authentication ". Select an authentication method based on your security requirements.

2. Select an authentication method based on the security level

The IIS plug-in provided by the Microsoft 2003 server system mainly provides three authentication methods. Different authentication methods correspond to different security levels and different compatibility.

The first type is "Digest authentication for Windows Domain servers ". This authentication method must be supported by the Active Directory, that is, it adopts the domain user authentication method. It mainly sends hash values over the network and uses ciphertext transmission instead of plaintext transmission. Therefore, its security is very high. In addition, this authentication method is often not affected by the firewall configuration. Because digest authenticator crossed the proxy server and other firewalls, it works with the proxy server and other firewalls and is available in the Web Distributed creation and Version Control directory. If the enterprise implements the domain environment, this is the preferred authentication method.

The second method is "basic identity authentication. The biggest difference between this and the first authentication method is that the former transmits hash values over the network. The latter transmits the password in the network in plaintext mode. This authentication method has advantages and disadvantages. The advantage is that it fully complies with HTTP specifications, so it is supported by most browsers. Not only does Microsoft's IE browser support it, but the Mazida browser on the Linux operating platform can also be well compatible. The disadvantage is that its account and password are both transmitted in plain text, so its security is not guaranteed.

The third option is "NETPassport authentication. This authentication method is not based on the operating system and is compatible with most browsers on the market. Many portal websites now provide "one-stop access", that is, using a network pass to access blogs, emails, online stores, and so on at the same time, this technology is used. NETPassport allows the site administrator to create an independent user name and password to ensure secure access to all enabled NETPassport websites and services. This authentication method uses a central server to authenticate users, rather than controlling and maintaining their own dedicated authentication systems. In this way, he can leave the specific application to provide a "one-stop account" for visitors ".

Among the three identity authentication methods, the comparison tends to be the third.

On the one hand, the "NETPassport authentication" option is not restricted by the operating system and browser version. For example, digest authentication for Windows Domain servers must work with the Active Directory account. This limit is relatively large. In addition to a domain environment, Microsoft Internet Explorer is also required.

Generally, it is difficult for users to meet both requirements. Therefore, although its security is relatively high, it still cannot be applied in a wide range.

Secondly, although the "basic identity authentication" method has good compatibility, the security is greatly compromised because the user name and password are transmitted in plaintext. Therefore, it is not the best choice.

"NETPassport authentication" not only has good compatibility, but also provides a "one-stop" access mode. Enterprises can integrate related services, such as e-commerce and OA systems, into Web servers. Employees do not need to change accounts frequently when accessing different application services. This processing method is more user-friendly.

3. Filter users' access through "IP address and domain name restrictions"

Remote Desktop Web access can be divided into two types. The first type is access by ordinary employees. when they are not in the company, they use Web servers as the stepping stone to access internal systems of the enterprise. In this way, the network administrator remotely manages related application servers.

Therefore, IP address restrictions must be imposed based on different application types to improve the security of Web connections.

If you can disable all Intranet IP addresses, leave only the IP addresses of the network administrator. In this case, enterprise employees can be restricted from accessing internal enterprise application systems through Web connections on the Intranet. If an employee does this, it is just like doing so. Because employees in the company can directly access through the internal LAN.

Therefore, IP address and domain name restrictions are a good security control mechanism.

4. Secure channels are required to improve the security during data transmission.

In Microsoft's built-in IIS plug-in, Security Channel settings are also supported. For example, on the "Secure Communication" tab, you can configure the security of the communication channel connected to Remote Desktop Web. For example, you can select the "require security channel" option and select "require 128-bit encryption ". In this way, the communication channel in the communication process can be encrypted with SSL, and the data in the channel is also encrypted with 128 bits, which achieves dual protection for the data transmitted over the network.

For enterprises with high security requirements, for example, enterprises that integrate e-commerce modules on their portal websites, we recommend using this "Secure Channel ". To maximize data security protection.