| WO/2016/205336 | RESOURCE PROTECTION USING TOKENIZED INFORMATION |
| JP5551335 | A method and a device for shipment of a subscription base |
| WO/2018/162318 | CONTROLLING USER ACCESS TO A MEDICAL SYSTEM |
| EP3202114A1 | 2017-08-09 |
| CLAIMS 1. Remote connection enabling system (500) comprising: a user computer (1) connectable to a telecommunications network (4); a remote computer (2) connectable to the user computer (1) by means the telecommunications network (4) and provided with: a remote connection service software (8) configured to control a remote connection access port (9) of the remote computer (2); a protection software (7) of said remote connection configured to interact with said service software (8); a management computer (3) connectable to the telematic network (4) and provided with a management software (8) configured to interact with said protection software (7); wherein the protection software (7) and the management software (8) are configured to: register (601) with the management computer (3) a user computer identifier (1), a user identifier (EM-1), and an identifier (IP-1) of the remote computer (2), associating them with each other; provide (602) by the user computer (1) to the management computer (3) via the telecommunications network (4) the user identifier (EM-1); recognize (602) by the management computer (3) the user identifier (EM- 1) and open via the protection software (7) and the management software (8) the access port (9) of remote connection of the user computer (1) to the remote computer (2). 2. System (500) according to claim 1, wherein the protection software (7) and the management software (8) are configured to: receive to the management computer (3) via the telecommunications network (4) an additional user identifier different from said user identifier (EM-1); detect by the management computer (3) that the additional user identification is different from said user identifier (EM-1); keep the access door (9) closed by means of the security software (7) and the management software (8). 3. System (500) according to claim 1, wherein the protection software (7) and the management software (8) are further configured to: after recognizing (602) the user identifier (EM-1), send (604) from the management computer (3) to the user computer (1) a recognition code (RCOD); send (604) from the management computer (3) to the user computer (1) a connection file (10) containing said identifier (IP-1) of the remote computer (2) and an identifier of the access port (9) to be used for the connection. 4. System (500) according to claim 3, wherein the user computer (1), the protection software (7) and the management software (8) are configured to: launch (605) by the user (USR) and via the user computer (1) and employing the connection file (10) a request for remote connection to said remote computer (2); enter (605) by the user (USR) in a dialog box managed by the protection software (7) the recognition code (RCOD); evaluate (606) by the protection software (7) the recognition code (RCOD) entered by the user; keep (606) the access door (9) open when the recognition code (RCOD) is recognized by the protective software (7); close (606) the access door (9) when the recognition code (RCOD) is not recognized by the security software (7). 5. System (500) according to claim 1 or 3, wherein the protection software (7) and the management software (8) are configured to: verify, based on said identifier (IP-1) of said user computer (1), that a remote computer port (2) engaged in a remote connection is engaged with said user computer (1). 6. System (500) according to claim the claim 1, wherein the system is configured to: establish a remote connection between the user computer (1) and the remote computer (2) via said access port (9); verify by the protection software (7) that said remote connection is active; disable the remote connection by closing the access port (9) when the remote connection is deactivated. 7. System (500) according to claim the claim 6, wherein the system is configured to: disable by the protection software (7) said remote connection, closing the access port (9), when the remote connection results inactive for a time longer than a predetermined interval. 8. System (500) according to claim the claim 1, wherein said protection software (7) is configured to: disable a folder share on a local network to which the remote computer belongs (2). 9. System (500) according to claim the claim 1, wherein said protection software (7) is configured to apply at least one of the following restrictions to the remote computer (2) when in remote session with the user computer (1): inhibiting/ restricting browsing of the Internet-type computer network (4) via the remote computer (2); inhibit services listening on the remote computer (2) so as not to allow access to third parties via additional services enabled on the remote computer (2); disable activities on the user's computer (1) that may impair the proper functioning of the remote computer (2) including: deletion of files responsible for the proper functioning of the remote computer (2), uploading of potential malicious files or scripts from the user's computer (1); inhibiting copying operations of specific data contained in the remote computer (2) to the user computer (1), authorizing remote access to the remote computer (2) only for the user computer (1) that is located in certain geographical locations and/ or only has a specific IP address. 10. System (500) according to claim the claim 1, wherein: - said telecommunications network (4) is an Internet network; and/ or - said access port (9) and remote connection are in accordance with RDP, Remote Desktop Protocol. |
DESCRIPTION
TECHNICAL FIELD
[001] The present invention relates to remote access techniques for establishing connections between remote computers.
STATE OF THE ART
[002] In computer science, remote access (or also, "remote control") is a method which allows, from a remote computer and without theoretical limitation of distance, to take control of another computer by viewing its screen and manipulating the functions of an input device such as a keyboard. This access can be performed at workstations or servers, depending on the capabilities of the software used.
[003] Widely used is the Remote Desktop Protocol (RDP), a proprietary network protocol developed by Microsoft, which allows remote connection from one computer to another using the Windows graphical user interface (GUI), using TCP and UDP port 3389 by default.
[004] RDP clients exist for most versions of Microsoft Windows, Linux, Unix, macOS, Android, iOS. Official RDP servers exist for Windows operating systems, although some also exist for Unix-Like systems. The RDP application included with Windows is called Remote Desktop Connection.
[005] The Applicant has noticed that remote connections present critical security issues for the information accessible from the computer to which a remote user connects. For example, such critical issues arise in the case of remote working, when an employee of a company obtains, through his or her own user computer, remote access to a company server or workstation that often stores (either directly or via a network into which it is plugged) sensitive information for the company itself (e.g. industrial projects, commercial or financial information).
[006] One of the most common attacks that occur in Remote Desktop sessions is the man-in-the-middle attack, when a hacker (attacker) secretly observes and probably alters the communication between two parties.
[007] Another type of attack is information leakage when a temporary user or consultant connects from a computer that in such cases physically resides in the user's home. Such information leakage may take the form, for instance, of copying remote documents or sensitive information in the form of text onto one's own device.
[008] Another situation is that of RDP access by temporary (or non-temporary) consultants who could load viruses of any kind, such as ransonware, onto the remote computer.
[009] A situation of lack of control of the remote computer (occurring, for instance, during breaks from work or at night) makes the company server or workstation potentially accessible to unauthorised persons through 'brute force' attack activities, such as gaining access to the system through thousands of authentication attempts per minute. The latter is a prevalent type of attack in the Remote Desktop space.
SUMMARY OF THE INVENTION
[010] The present invention addresses the problem of providing a remote connection enablement system that offers greater security against attempted access by authorised and unauthorised persons than is achievable by conventional techniques. [Oil] It is an object of the present invention to provide a remote connection enabling system as described by claim 1 and preferred embodiments thereof as defined by claims 2-10.
BRIEF DESCRIPTION OF THE DESIGN
[012] The present invention is hereinafter described in detail, by way of example but not limitation, with reference to the appended drawings, in which:
[013] - figure 1 shows schematically an example of a remote connection enabling system comprising at least one user computer and at least one remote computer;
[014] - figure 2 shows an example of a remote connection enabling method suitable for the system of figure 1;
DETAILED DESCRIPTION
[015] In this description, similar or identical elements or components will be indicated in the figures by the same identifying symbol.
[016] Figure 1 schematically shows an example of a remote connection enablement system 500 comprising at least one user computer 1 associated with a user USR, at least one remote computer 2, at least one management computer 3, such that they can communicate with each other via a telecommunication network 4 for the exchange of data/information. The telecommunication network 4 is, for example, an Internet network.
[017] User computer 1 may be, for example, a personal computer, lap top or tablet, or a mobile phone (e.g. smartphone), in use by the user USR, with an e-mail address EM-1 or other user identifier such as a mobile phone number.
[018] Remote computer 2 may be a server computer, a personal computer or a virtual machine, with which a corresponding administrator ADM2is associated.
[019] Remote computer 2 is such as to allow remote access and thus the establishment of a remote connection. As is well known, remote access is a type of connection that is made between two or more spaced-out computers by linking them together normally via a computer network such as, for example, via the Internet (in which case, a remote connection is obtained), allowing more or less limited control of one of the two machines by operating from one machine on the other.
[020] Remote computer 2 is equipped with a corresponding remote access service software 8 (SW-RC). For example, such service software 8 is configured in accordance with the network protocol RDP (Remote Desktop Protocol) which is, as is known, a proprietary network protocol developed by Microsoft, which allows remote connection from one computer to another using the Windows graphical user interface (GUI). For such a connection, at least one RDP port 9 is used (i.e., as is known, TCP port and UDP 3389 port). The service software 8 controls the closing and opening of RDP port 9.
[021] In addition, a protection software application 7 (ATK-PR) is installed at remote computer 2, which is configured to ensure that a remote connection is only permitted for authorised computers, in accordance with the requirements and manner described below.
[022] According to the example, user computer 1 is also equipped with service software configured according to the RDP (Remote Desktop Protocol) network protocol.
[023] Note that protection application 7 (ATK-PR) is such that the initial state of RDP port 9 is 'off' (i.e. port 9 is closed), and thus unreachable by any connection attempt.
[024] Consider the example situation in which remote computer 2 is a company server and the user USR is an employee who must use user computer 1 to connect remotely to remote computer 2, i.e., resulting in remote access with the establishment of a remote connection, which sees the opening of a remote session.
[025] The management computer 3 may be, for example, a server computer at which resides a management software 5 (SW-MNG) configured to manage, also via a related administrator ADM3, a protection service of the remote computer 2. The management software 5 of the management computer 3 is configured to exchange data/ information with the protection application 7 installed on the remote computer 2. According to the example, the management computer 3 may be a central computer administered by a company providing a remote connection protection service.
[026] In particular, the management computer 3 may operate a web portal 6 (WB-PR) to which the protection application 7 of the remote computer 2 and the user USR may be connected via the user computer 1.
[027] The system 500 operates according to a method of enabling a remote connection 600, an example of which is described below with reference to the flowchart in figure 2.
[028] The method 600 comprises a registration step 601 at the management computer 3 of the user computer 1 and the remote computer 2. Specifically, at a memory of the management computer 3, IP identification data 2 of the remote computer 2 (e.g. its IP address) is recorded. In this recording, an access port identifier for the remote connection of the remote computer 2 (according to the example, access port 9) is also recorded.
[029] In addition, into the management computer 3, the e-mail address EM-1 of the user USR is registered, associating it with the specific remote computer 2, to which the user USR will want to connect. This e-mail address is an example of an identifier of the user USR that can be used. Advantageously, an address IP-1 of user computer 1 is also stored, associating it with that of the remote computer 2. For example, this registration operation can be carried out by the administrator ADM2 of the remote computer 2 via web portal 6.
[030] In a step of connecting to portal 602, the user USR of the user computer 1 proceeds to connect to the web portal 6 and enter his or her e-mail address EM-1 into it so as to be recognised by the management computer 3.
[031] If the e-mail address EM-1 of the user USR is recognised (first verification step 603), the management computer 3, by means of the management software 5, the security application 7 and the service software 8 of the remote computer 2, enables the opening of the RDP port 9 i.e., enables the possibility of an access to the remote computer 2 for a remote session requested by the USR user.
[032] Advantageously, this opening of the RDP 9 port is temporary, i.e. it is only valid for a predetermined time interval (e.g. 10 minutes). If the e-mail address entered is not recognised (i.e. it is detected as different from that preregistered EM-1), RDP port 9 is kept closed.
[033] Preferably, the method 600 comprises further steps of verification and/ or recognition of the user and/ or user computer 1.
[034] According to an example (symbolically illustrated in the figure, within the first verification step 603), following the above-mentioned acknowledgement, the user USR receives at the corresponding e-mail address EM-1 an acknowledgement code RCOD (e.g., an OTP, One Time Password), sent by the management computer 3, which registers it by associating it with the address IP-1 of the user computer 1.
[035] The USR user (in a data download phase 604) downloads into the user computer 1 from web portal 6 an RDP file 10 (F-RDP) in the form of a text file containing identification data of the remote computer 2 (e.g., its IP address, IP-2) and the RDP port 9 to be used for the connection.
[036] It should be noted that such a data download phase 604 is, advantageously, repeated with each connection request and in particular it is repeated each time the session of the remote computer 2 expires, with consequent closure of the RDP port 9. Another situation in which a further download to the user computer 1 from the web portal 6 of the RDP file 10 is required is when the IP address of the user computer 1 is changed, which no longer corresponds to the address IP-1 recorded in the registration phase 601, or also when the windows credentials of a local user are changed.
[037] From RDP file 10, the user USR launches (launch step 605) a connection to the remote computer 2 by entering, for example, other credentials in order to be recognised by the network 4 (in particular, its own Active Directory credentials). During the access of the user USR to the remote computer 2 (access managed by the security application 7, via the user computer 1), the user enters the recognition code RCOD (for example, in a modal window, which cannot be deleted).
[038] In a second verification step 606, the recognition code RCOD is evaluated by the protection application 7 (residing at the remote computer 2) in accordance with the management software 5 of the management computer 3, and if it is recognised, the temporarily granted access is confirmed, resulting in a remote session. The protection application 7 cooperates with the service software 8 of the remote computer 2 to confirm the access.
[039] In the event that the recognition code RCOD is not recognised, an automatic disconnection is carried out and, in particular, protection application 7, via the service software 8 of the remote computer 2, closes the RDP port 9 preventing access to the remote computer 2.
[040] Advantageously, the method 600 further comprises a connection verification procedure such that it confirms whether or not the computer of a user with which the remote computer 2 has established the remote connection corresponds to the registered computer according to the registration step 601.
[041] Note that in implementing method 600, the protection application 7 applies "rules" downloaded from the management computer 3.
[042] When the USR user enters the recognition code RCOD (launch step 605, described above), the remote computer 2 (via the protection application 7) requests to the management computer 3 the user computer identifier (e.g., its IP-1), associated with that particular recognition code RCOD (as provided in the first verification step 603).
[043] In addition, the remote computer 2 is informed by the management computer 3 of the RDP connection port 9 (enabled at remote computer 2), as registered at management computer 3.
[044] The protection application 7 of the remote computer 2 verifies that the incoming remote connection on the RDP port 9 comes from a computer having the identifier IP-1 of the user computer 1: if so, the connection is granted; if not, the connection is disabled and the RDP port 9 is closed.
[045] In a particularly advantageous form of implementation, there is also a control procedure managed by protection application 7 whereby a remote connection already established is disabled (with closure of RDP port 9) if no activity is detected, i.e., if it is inactive. This inactivity (which may occur, for example, at night) can be detected by monitoring the user interfaces of user computer 1 (monitoring carried out, from remote computer 2 through protection application 7, in accordance with the rules defined by management computer 3 with its management software 5).
[046] In addition, it is possible to decide that the automatic disabling of the remote connection only takes place after a preset time interval of inactivity. The value of the time interval can be set by the administrator ADM2of remote computer 2 on the web portal 6.
[047] To re-establish the connection, the user USR of the user computer 1 logs back on to web portal 6 and re-enters the e-mail address EM-1, unless it is still logged in. If security application 7 detects the same user computer identifier (i.e. IP-1 address) as the last connection, access is granted and RDP port 9 is opened.
[048] A further time interval may be set between a subsequent connection request and the last connection request, within which a new recognition code RCOD is not required. After the expiry of this further time interval, the user USR, via the web portal 6, can request a new recognition code (RCOD) to be used to complete the remote connection in the same way as described above.
[049] Preferably, there is also a procedure for deactivating shared folders which is carried out, advantageously, when the protection application 7 is installed on the remote computer 2 and is activated. According to this procedure, the protection application 7 removes all folder shares with other computers that belong to the same local network to which remote computer 2 belongs. This prevents a hacker from uploading files to a shared local folder and then accessing it remotely, e.g. via the Server Message Bloc (SMB) protocol, which is mainly used by Microsoft Windows systems.
[050] For example, the netshare command allows the list of shared resources on the local network to be obtained and the netshare/ delete command allows the sharing to be removed.
[051] It should be noted that according to particular forms of implementation, one or more restrictions may be adopted that limit the activities that the user USR may perform when user computer 1 is in a remote session with remote computer 2. Examples of such possible restrictions that can be implemented at the remote computer 2 via the security software application 7 are given below.
[052] Advantageously, it is possible to provide that remote computer 2 cannot surf the Internet (except, for example, to connect to a secure sharing portal authorised by centralised policies and configurable via web portal 6, associated with management computer 3).
[053] Disabling/ restricting Internet browsing can be done by software application 7. Instead, Internet browsing can be maintained for user computer 1. This restriction of browsing reduces risks such as: contracting online viruses (e.g. ransomware) or sending out confidential information.
[054] In addition, it is possible to provide that services listening on remote computer 2 can be switched off in order not to allow third-party access via other services enabled on remote computer 2.
[055] It is also possible to deactivate for the USR user those activities that could impair the proper functioning of remote computer 2. For example, such activities may be: deleting files that are responsible for the proper functioning of remote computer 2, uploading potential malicious files or scripts from user computer 1 (e.g. files with the following extensions: .com, .bat, .exe, .hta, .ocx, .pif, .sys, .vbs and .wsf).
[056] With reference to possible restrictions, in connection with the leakage of sensitive information, it may also be possible to deny any copying of data contained on remote computer 2 to user computer 1, even when the user USR has access rights to remote computer 2.
[057] Another possible restriction may be to allow remote access to remote computer 2 only for those user computers that are in certain geographical locations and/ or only for specific IP addresses.
[058] The remote connection enablement system 500 and method 600 described above are very advantageous because they considerably increase the security of a remote connection to be established. The verification of the identity of the user wishing to establish a remote connection with the computer to be protected and the possibility of refusing the connection by keeping the access port associated with the remote connection service closed, are solutions that lend particular security to the system.
[059] Another advantage is related to the use of more than one user identification code and the fact that further verification of these codes can be carried out. Also advantageous is the solution that provides for an automatic disconnection in the event of user computer inactivity.
[060] It should be noted that the restrictions described above are also particularly advantageous. In fact, the application of such restrictions makes it possible to achieve a level of protection that renders the computer itself unassailable from any point of entry, not only by potential hackers/ attackers, but also by users authorised to access the remote computer 2, thus achieving a de facto 'system hardening'.
[061] Legend of symbols used in the figures
- remote connection enabling system 500
- user computer 1
- remote computer 2
- management computer 3,
- telecommunications network 4
- management software 5
- user USR
- e-mail address EM-1
- remote computer administrator ADM2
- management computer administrator ADM3
- web portal 6
- security software application 7
- service software 8
- RDP port 9
- remote computer identification data IP-2
- user computer identification data IP-1
- recognition code RCOD - RDP file 10