Remote Desktop Security

**psmithson** · 31-08-2008

My boss is getting on my that LogMeIn isn't secure because it just uses a username and password. Does anyone have any ideas on making it more secure.

Thanks

pavel

**rammy** · 31-08-2008

It depends what you mean, are you wanting to limit the amount of people being able to use remote desktop or you want more credentails for logging into it?

**pavelb** · 07-09-2008

Hi psmithson,

Your boss has an interesting point. As more and more of our data moves online, keeping it secure will become more essential. Take the example of Google Docs which seem to be one of the steps towards computing moving away from the desktop and into Cloud Computing. This will be mean more of our information (sensitive business material, embarrassing pictures) will become more and more accessible from any terminal.

That's great, but it makes me worried about how many people will become susceptible to identity theft and content theft. Over 8 million people got their identity stolen last year in the USA, I think a good percentage of that was due to password mismanagement.

I know my parents use really obvious password, you know the usual stuff birthdays, college etc. Not very secure at all! I won't trust employees to enter secure passwords either.

So one way to counter this is to use two factor authentication. Which basically mean you use two things to prove that you are you.

A solution that has just been released and aimed at LogMeIn is a service called PhoneFactor.

From what I have read you receive a call whenever you try and log into a gateway secured by PhoneFactor. So if you tried to use LogMeIn you would have to prove your identity using you password and username (1st factor) and then also receive a call on you phone (2nd factor).

I haven't used it myself but it looks very good from what I have read. Does anyone have practical experience with this service?

**Nikita.P** · 08-09-2008

The concept of phone factor is very interesting. I am hearing about such a service for the first time! Although the login time will be long and extended, this will prove to be a boon for organizations where security is of utmost importance. Thank you pavelb for sharing this knowledge with us. If anybody has any experience with phone factor service, please share it here. Such information will be beneficial for many

**paulb** · 09-09-2008

I am a newbie in the forums. But we use logmein at work, however we don't have phonefactor. 2-factor authentication seems very interesting.

Is phone-factor free for companies too?

**pavelb** · 09-09-2008

Hi paulb,

I know that PhoneFactor have a free prepackaged solution for LogMeIn Pro and LogMeIn IT users, so that could work for you.

Also for securing other enterprise resources like Corporate E-Mail, Citrix Web Interface, Terminal Services it easily intergrated.

IT departments love it because it's easy to set up and manage, users love it because they don't have to carry those security tokens and enter long complex pins

Also for regulatory compliency issues it offes a rapid, cost-effective way to comply with PCI Data Security Standards and other industry regulations.

So it's a great product for companies.

**jajjii** · 10-09-2008

I allow employees in our company to use LogMeIn and I have some that uses Remote Desktop.

There are several things to think about when it comes to security and logmein.

- Browser, when you initially log in to LogMeIn, the browser (IE) asks you if you want the browser to remember the password. If the user accepts, then you might have started to compromise the security of your company’s data.

Let’s say that a person has been able to login to LogMeIn and that person is not an authorized user, what can he do?
Basically, the only thing that he has at this point compared to remote desktop is that he can see a list of computers which the user usually logs in to. Using remote desktop from the same machine, he will see the IP addresses that the user is logging in to. Sometimes you can also see the domain name if the user has been using VPN.
In both scenarios, he needs to know a username (sometimes not) and a password to make a successful logon.

Is LogMeIn less secure in this situation? No

- Data transmitted, With LogMeIn, data is being sent over SSL (Secure Socket Layer) which is a negotiation between the end users browser and the server that is saying that all data being sent between the two is going to be encrypted. If anyone intercepts the data, they will not be able to decrypt the data and find the username and/or password.

With remote desktop, if you are using a later version (higher than 6) then by default, all your data (username, password) is encrypted much like LogMeIn, with 128-bit.

To make your network more secure, you have to create a Virtual Private Network (VPN) which will encrypt all data including the initial connection that is made to your network which Logmein and remote desktop does not.

Also, by having users forced to change password every 15 or 30 days with a strong password required (forcing the user to create password with letters, numbers, and special characters) will greatly improve the security of your company.

**petyaj** · 12-09-2008

I've wondered a lot why there is a difference between security and authentication in the minds of IT managers. I think the reason is that security has to do with systems, while authentication has to do with people. PhoneFactor is useful on top of LogMeIn because it is people that are susceptible to weakness, giving away and employeeing weak password habits. Second, turns out that PhoneFactor on LogMeIn is pretty convenient. Put in username and password to LogMeIn account, and receive a phone call (to which you respond #). Not really that inconvenient (or expensive) for a quality 2-factor capability.

Yogesh · 12-09-2008

Hi petyaj, welcome to TechArena. You can Introduce Yourself.

The difference you pointed out between security and authentication is a lot appreciable. The advantage of phone factor is thus justified with this. And this is indeed not much complicated process to club phone factor with LogMeIn. And 2-factor capability will be any how more secure

**pavelb** · 14-09-2008

If anyone wants to try out what we having been talking about on this thread without having to install or download anything.

**petyaj** · 16-09-2008

Interesting point Nikita made about convenience. Any security or authentication procedure is a compromise in convenience. The PhoneFactor solution, for example, places an outbound call to the user once the username and password is submitted. User picks up the phone and hits "#." So yes, a bit of a sacrifice. But not much...

**pavelb** · 16-09-2008

Yes, convenience in authentication and also the fact that you don't have to carry around any extra piece of kit!

My link did not show up on the above post. Try the PhoneFactor demo over at this site: www.phonefactor.com

**Amol21** · 16-09-2008

Well just reading you guys opinion & this phone factor. Don't you think your phone no can also be changed?

I am a noob in security & Internet area but just a wild thought!

**paulb** · 17-09-2008

Woow...Wonderful discussion. Thanks everyone for this excellent discussion and pointing out benefits of 2-factor authentication. Seems to me that there is a lot of excitement about Phonefactor in these forums. I am going to work with our IT group to looking into installing phonefactor with logmein.

Thanks everyone.