Types of remote access software
There are different ways to remote into a system or computer. This guide will help you find the right one for your business and circumstances.
What it is
If you have a physical office, you may have computers and systems you need to access remotely. There are a number of ways to remotely access your systems, computers, or networks over the internet. But if you are allowing access over the internet, it's especially important to make sure it's secure so only the right people can connect to it.
Tip
If your business doesn't have a physical office that hosts systems and only uses cloud-based tools, you don’t need to worry about remote access software. Read our other tips about securing your business and your other cloud tools.
Why it matters
At CERT NZ, we see attackers taking advantage of weak or poorly implemented remote access solutions. When attackers take advantage, they could steal private information stored on your computer, access your accounts, scam others, or even deploy ransomware to stop you from using your systems unless you pay a ransom.
How to protect your business
There are a many different solutions to work remotely. Three common solutions are:
- virtual private network (VPN) software for example Wireguard, or OpenVPN
- cloud enabled remote access software for example Teamviewer, Chrome Remote Desktop, or Anydesk direct remote access software for example RDP, SSH, or VNC.
Use this guide to figure out which solution will work best for your business and your team.
Virtual private network (VPN)
How it works
Virtual private network software creates a tunnel between your remote computer or network and your office network. Setting up a VPN requires you to install, setup, or configure a server and a client, like your computer.
You could configure a server on your office network to run the VPN server software, or enable VPN features to set up the VPN server on your office router. Once you're connected to the VPN, you can access the same files and systems as if you were sitting in your office. The computer you are connecting from acts as though it is connected to the office network.
Tip
This is the same technology as the VPN you might have heard of in your personal life, for using overseas streaming services. It's used in a different way though – that type of VPN allows you to appear to be located somewhere else, where VPN software for your business securely connects you to your private office network.
Best for...
Businesses who have a small to medium-sized workforce who need access to multiple systems or services on the office network. It's ideal for a business who needs their staff to be 'virtually working' in the office, with access to all the same tools and systems they have when they are sitting at their desk.
It can also be used in conjunction with direct remote access software (without exposing direct remote access software to the internet) if you need to connect to many computers securely without exposing lots of devices on the internet to potential attackers.
Not so good for...
This is not a good option if you, third party vendors, or contractors only need access to a specific computer at work, and you don't need direct access to the entire network.
Important things to note:
- Use of private key or certificate authentication is preferable.
- If using credentials, use strong passwords and 2FA if possible.
- Keep up with your updates (especially your VPN server - or router firmware if using your router).
- Use an Allowlist of IP addresses that have permission to access your VPN server if possible.
- Avoid VPN protocols that have known security weaknesses that can't be fixed.
- Configure and review security and access logs.
- Check if the software used supports strong encryption.
- Check if the performance will suit your needs.
The details
Description | Advantages | Disadvantages |
---|---|---|
Authentication | Some of these solutions allow the use of private key or certificate authentication, removing the need for usernames and passwords which are easier to guess. Some solutions also allow multi-factor authentication (MFA) and other secure controls, like invalid login attempt limits. |
Authentication controls must be configured to be secure, and not every VPN software offers the same options. |
Authorisation |
As a central connection point, it is easy to manage incoming and outgoing connections. You can configure controls to allow users to part of the network as if they were working in the office. |
This level of access might be too much if staff or third parties just need access to a single machine or system. |
Encryption in-transit |
VPN software allows you to use encryption, so data is secured while being sent through the tunnel. There are multiple options, and it comes down to the type of VPN protocols used and the encryption they support. |
Not all encryption is created equal. Some VPN protocols have known weaknesses and should not be used, like PPTP. |
User accessibility | VPNs enable employees to take work machines home and connect into the work network. Note that if letting employees take work machines home, you should have additional controls to protect your business. |
If employees are allowed to use the VPN from personal devices, this presents the same risk as using personal devices on your work network. Employees taking a work device home may lose the work device or allow sensitive information or documents to be viewed outside of the office. |
Initial setup and maintenance |
Most VPN software vendors have guides to help you and your staff use their product. Most of these vendors also provide updates to their software when known vulnerabilities are discovered. |
Setting up a VPN server can take more time than other options. It also requires updates to software on the server, and sometimes on the remote computer if they are using downloaded software. |
Performance | VPNs can feel snappier because applications are running on the client machine, unlike remote desktop access solutions which requires more bandwidth to send and receive video. |
VPN software might have limits on how much traffic it can support. This could be due to limited internet speed, or your VPN server or router. Consider how many people will need to connect at the same time to work out if this option is viable. |
Attack surface |
If configured correctly and kept up-to-date, VPNs are generally safe to expose on the internet. Additionally, if your business needs to remotely access multiple devices, instead of exposing all devices on the internet, a VPN is a single exposed service you can focus on securing. |
It does still expose software to attackers. It's important to keep up with any updates, use strong authentication, and use additional controls like Firewalls to allow access to known IP addresses. |
Cloud-enabled remote access software
How it works
Cloud-enabled remote access software allows you to control a single computer at the office with a remote computer. To set this up, you need to download remote desktop software to the computer you need remote access to, and to use remote access software or a web browser on your remote computer.
These apps often don't require any special configuration like 'port-forwarding' which exposes devices or services directly to the internet. This can make them easier to set up.
The provider helps initiate the connections and you will typically need to authenticate to the provider. This means you can avoid some of the risks of exposing an application on the internet, but you will have to trust the provider to help keep you secure.
Products like Chrome Remote Desktop, Team Viewer, AnyDesk and LogMeIn are some examples of cloud-enabled remote access software.
Best for...
Cloud-enabled remote access software is a good option when you have a limited number of staff, third party vendors, or contractors who need access to a single computer.
Not so good for...
These types of remote access typically use quite a bit of internet bandwidth. This might limit you if you have a large number of staff needing remote access at the same time.
If you need quick and responsive applications, some cloud enabled solutions can have delays between taking an action, and seeing any results.
Some use cases might require direct access to your work network such as through a VPN. This is likely not possible when using cloud enabled or direct remote access software.
Important things to note:
- Use strong passwords.
- Use MFA if possible.
- Check if the vendor is reliable and trusted.
- Check if the software is still supported and patched by the vendor.
- Keep up with your updates.
- Configure and review security and access logs.
- Check if the software used supports strong encryption.
- Check if the performance will suit your needs.
The details
Description | Advantages | Disadvantages |
---|---|---|
Authentication | Some software allows multi-factor authentication (MFA) and other secure controls, like login attempt limiting. |
Authentication controls have to be configured, and not every desktop software offers the same options. Some software only requires a PIN which can be easy for attackers to guess, brute force, or phish. You must trust the vendor's authentication methods. |
Authorisation |
Allows you access to the computer as if you were sitting at your desk. For third parties, vendors or contractors who only need access to one computer, this could be a good solution. |
Cloud-enabled remote access software doesn't always have a central point to control who has access, so it can be difficult to control if you have multiple staff using their own remote desktop software. |
Encryption in-transit | Most vendors confirm that they use encryption. This is configured and enforced by the remote desktop software and requires no setup or user involvement. | Most remote desktop software uses proprietary protocols, which means you can't be sure how they work. You also don't have the ability to change these protocols or configurations yourself. |
User accessibility | Depending on the software, it may only require a user to download software or access a website (browser-based) on their remote computer. | Some staff may require help in getting the remote desktop software downloaded and installed on their work computer. |
Initial setup and maintenance | Initial setup is easy. It requires you to download software on your work computer and set up configurations. After that it will require periodic software updates. | Most remote desktop software uses their own proprietary protocols. This means the vendor is solely responsible for keeping it secured. |
Performance |
Both cloud-enabled and direct remote access software means you can control a powerful computer remotely from a less powerful one. This allows you to do more intensive work without having to transport the powerful computer. This type of software often streams a video of the screen, passing your keyboard and mouse input through to the office computer. Most of the processing is done on the office computer which means the main restriction in performance is likely your internet connection. |
Because remote access software often streams video and passes your keyboard and mouse input through to the office computer, there may be delays between your interactions and seeing the result on screen. If you plan to have many people using remote access software at the same time, your internet connection may not cope. |
Attack surface | You won't be exposing software directly to the internet for attackers to try attack. | You will have to trust the vendor brokering the remote access connection for you. |
Direct remote access software
How it works
Similar to cloud-enabled remote access software, direct remote access software can allow a user remote access to a computer. Instead of using proprietary vendor protocols, direct remote access software often uses common services that are built into the operating system – for example RDP, VNC, or SSH.
Exposing direct remote access services directly to users over the internet carries a large security risk because they need to be configured well to be secure. Instead of opening these remote access desktop protocols to the internet, you could consider using a VPN to connect to your work network first before using direct remote software to remote into specific machines.
Best for...
Accessing many devices on the same network remotely:
- without exposing it to the internet, or
- over a VPN connection.
Not so good for...
Businesses with workers who want to work from home using this system alone (without a VPN).
Important things to note:
- Use of private key or certificate authentication is preferable.
- If using credentials, use strong passwords and MFA if possible.
- Keep up with your updates.
- Configure and review security and access logs.
- Check if the software used supports strong encryption.
- Check if the performance will suit your needs.
The details
Description | Advantages | Disadvantages |
---|---|---|
Authentication |
Some of these solutions allow the use of private key or certificate authentication, removing the need for usernames and passwords which are easier to guess. Some solutions may allow multi-factor authentication (MFA) and other secure controls, like invalid login attempt limiting. |
Setting up private keys, certificates or multi-factor authentication can require additional effort and complexity. Most organisations don’t take these steps and end up using just usernames and passwords to access the remote service. |
Authorisation |
Allows you access to the computer as if you were sitting at your desk. For third parties, vendors or contractors who need access to multiple computers, this could be a good solution when paired with a VPN. |
Direct remote access doesn't always have a central point to control who has access, so it can be difficult to control if you have multiple staff opening ports and enabling direct remote access desktop protocols. |
Encryption in-transit | Not all direct remote access protocols use encryption. It will depend on the software you are using and if they configure it by default. For example, VNC is a common remote access service used for Apple devices. It does not encrypt traffic itself and therefore requires the software to add an additional layer of encryption when setting up a remote connection. | |
User accessibility | Using direct remote access services can require more technical knowledge than just accessing a browser or downloading a piece of software. | |
Initial setup and maintenance |
Direct remote access software is often included by default with your operating system. Maintenance can be straightforward. Direct remote access desktop services require you to keep the service and operating system it runs on up to date. |
Setup requires configuration such as opening ports and configuring firewall rules on the work computer to work outside of the local network. Configuring these settings securely can also be a challenge. This should be a task done with the help of the IT team. |
Performance |
Both cloud-enabled and direct remote access software let you control a powerful computer remotely from a less powerful one. This allows you to do more intensive work without having to transport the powerful computer. This type of software often streams a video of the screen, passing your keyboard and mouse input through to the office computer. Most of the processing is done on the office computer which means the main restriction in performance is likely your internet connection. |
Because remote access software often streams video and passes your keyboard and mouse input through to the office computer, there may be delays between your interactions and seeing the result on screen. If you plan to have many people using remote access software at the same time, your internet connection may not cope with multiple people streaming their desktop. |
Attack surface |
These direct remote access protocols and software are not typically designed with internet exposure and security in mind and require careful configuration to do so safely and securely. If you are wanting to access multiple devices remotely, each one would need to be exposed. Doing so provides an attacker more targets and chances that something wasn't configured correctly. Instead consider using a VPN to create a tunnel connecting you to the internal network. You could then use these direct remote access services to connect to a device allowing you to focus your efforts on securing the only exposed point, the VPN. |
Get help
If you need help deciding on remote access software or configuring your system, talk to your IT service provider.