Secure Remote Desktop Web Connection Four Points to Note

  
remote network connection is a more practical technology in enterprise information applications. It can be implemented in a variety of ways, such as VPNs, remote control tools, and more. However, Remote Desktop Web Connection is also one of the best. For example, many enterprises will be a more practical technology in enterprises'

remote network connection in enterprise information applications. It can be implemented in a variety of ways, such as VPNs, remote control tools, and more. However, Remote Desktop Web Connection is also one of the best. For example, many enterprises will leave an interface to the intranet of the enterprise on the portal of the enterprise. This allows employees who are not in the company to get a real-time view of the company's information, and also allows them to access the relevant internal systems when needed.

To put it simply, a remote desktop web connection is achieved by connecting to a corporate web server to enable communication with a terminal server of a particular computer. Most importantly, there is no need to install any plugins on the client. This makes remote desktop web connections popular with many network administrators.


However, since no settings are required on the client, this leads to the security of the remote connection falling on the shoulders of the corporate web server. Therefore, some related softwares of “Remote Desktop Web Connection” provide a very high level of security settings. Below, the author takes the IIS plug-in that comes with Windows2003 as an example to talk about how to do the security settings of the remote desktop Web connection.

1. Whether to allow anonymous access

When considering the security of remote desktop web connections, the first question to consider is "whether anonymous access is allowed". If the user is allowed to "anonymous access", select the "Enable anonymous access" checkbox. By default, the system has created a public account for anonymous users at the time of installation. Of course, the user can also set the account and related permissions that the user needs to use. When an anonymous user accesses, he or she can log in without using the username and password, and directly delete the default user account and password provided by the system.


If you do not allow anonymous account login, you can leave this box. However, it is necessary to select the specific authentication method in the “User access needs to be authenticated”.

In general, if the web server is for public use, enable “anonymous access”. However, if this internal web server also provides a channel for internal employees to access the intranet, set this separate web page to “user access needs to be authenticated”. And choose the appropriate authentication method according to the different security requirements of the enterprise.



Second, select the appropriate authentication method

Depending on the security level in Microsoft 2003 server system comes with IIS plug-in provides three main identity Ways of identifying. Different authentication methods correspond to different security levels and different compatibility.

The first is "digest authentication for Windows domain servers". This type of authentication must be supported by Active Directory, that is, it is a domain user authentication method. He mainly sends hashes on the network, using ciphertext transmissions instead of plaintext transmissions. Therefore, its safety is very high. In addition, this type of authentication is often not affected by the firewall configuration. Because the digest authentication party crosses the proxy server and other firewalls, works with proxy servers and other firewalls; and is available in Web distributed authoring and version control directories. This is the preferred method of authentication if the enterprise implements a domain environment.


The second is the "Basic Authentication" method. The biggest difference between this and the first authentication method is that the former transmits a hash value in the network. The latter transmits the password in the network in clear text. This type of authentication has advantages and disadvantages. The advantage is that it is fully compliant with the HTTP specification, so it is supported by most browsers. Not only does Microsoft's IE browser support it; the Mazida browser on the Linux operating platform is also very compatible. The disadvantage is that because its account and password are transmitted in plain text, its security is not guaranteed.


The third is the "NETPassport Authentication" option. This type of authentication is also not based on the operating system and is compatible with most browsers on the market today. Nowadays, many portals offer “one-stop access”, which means that they can access blogs, emails, online stores, etc. by means of a network pass. NETPassport allows site administrators to create separate usernames and passwords to secure access to all enabled NETPassport websites and services. This authentication method uses a central server to authenticate users, rather than hosting and maintaining their own dedicated authentication system. In this case, he can be separated from the specific application, providing visitors with a "one-stop account".


In the three authentication methods, the author tendency and third.

On the one hand, & ldquo; NETPassport Authentication & rdquo; option regardless of the operating system and browser version of the constraint. Like “Summary Authentication for Windows Domain Servers”, it must work with the Active Directory account. This limit is relatively large. Not only does it require a domain environment, but it also requires Microsoft's Internet Explorer. It is difficult for the average user to satisfy both of these requirements at the same time. Therefore, although its security is relatively high, it still cannot obtain a wide range of applications.


Secondly, the "basic authentication" method is better, but since its username and password are transmitted in clear text, the security is greatly reduced. Therefore, it is not the best choice.

The & ldquo; NETPassport Authentication & rdquo; not only good compatibility, but also provides a & ldquo; one-stop & rdquo; access mode. Enterprises can integrate related services, such as e-commerce, OA systems, etc., on a Web server. Then employees do not need to change accounts frequently when accessing different application services. This kind of treatment is more humane.



Third, by & ldquo; IP address and domain name restrictions & rdquo ;, filter user access

We Remote Desktop Web Access can be divided by major For two categories. One type is the access of ordinary employees, mainly when the company is not in the company, using the Web server as a springboard to access the internal system of the enterprise. The other type is that the network administrator remotely manages related application servers in this way.

To do this, you need to limit the IP address according to different application types to improve the security of the Web connection.


such as IP address can be within the network are prohibited off, leaving only the IP address of the network administrator. In this way, employees can be restricted from accessing the internal application system of the enterprise through the Web connection on the intranet. If the employee does this, it is like “Pants and farts, more than one move”. Because employees can access the company directly through the internal LAN.

Therefore, IP address and domain name restrictions are a good security control mechanism.


Fourth, it requires the use of a secure channel to improve data transmission security

In Microsoft's own IIS plug-in also support the secure channel Settings. For example, in the “Security Communication” tab, you can configure the communication channel for the Remote Desktop Web connection. For example, you can select the “Require secure channel” option and you can select “Require 128-bit encryption”. In this way, SSL communication can be used for the communication channel in the communication process, and the data therein is also encrypted by 128 bits, and the data transmitted by the network is double protected.

For companies with high security requirements, such as those that integrate e-commerce modules in the portal, it is recommended to use this "secure channel". Protect your data to the greatest extent possible.


Copyright © Windows knowledge All Rights Reserved