II. Risk of Remote Desktop in Universities
Continuous advancements have been made to improve Remote Desktop security; however, universities still remain as a major target for exploiting Remote Desktop vulnerabilities:
- Lack of security awareness - Although today's user is more IT savvy, lack of security awareness is still one of the leading causes for RDP exploits. Remote access users must be made aware of their security responsibilities.
Awareness training and formally documented policies and procedures can help inform remote access users on important security topics. Such training and policies should include best practices to adhere to when working outside of the office, firewall configuration and password requirements.
- Local Administrative Right - Most of the users are granted with local administrative right on their computers. With the administrative right, users have full control over the configuration and software installation of the computers.
In some cases, best practice of configuration may have been performed on local computers of users by IT department. However, since the local administrative right resides with the users, configurations can be easily modified or reset. Users who are not aware of the risks with using RDP access will be more susceptible to information disclosure attacks and brute force attacks.
- Use of 3rd party software - Users may use 3rd party software readily available on the internet for remote desktop access such as EchoVNC, iTALC, rdesktop, RealVNC Free and TightVNC. There may be vulnerabilities present in these 3rd party softwares which may be exploited by the attacker. For instance, vulnerability has been reported for TightVNC in March 2009, which can be potentially exploited by a malicious hacker to compromise a target computer. User awareness education and regularly update the version and security patch can reduce the adverse effect by the vulnerabilities. This can also be secured by using the highest level of encryption which encrypts the data transmission in both directions by using a 128-bit key.