May 2013 IT Business Consulting Newsletter

Hacked via Remote Access!

By Tom K

This Property Mgmt Company thought they had their network security completely in hand, but they still got seriously hacked. They contacted us and we found and plugged the security holes, and then performed appropriate damage control. But… it was a very embarrassing and expensive experience for them.

The event could have been prevented. In this month’s newsletter I discuss the issues that led to this particular attack, and how to prevent this common attack from crushing your company.

Remote Access Applications on Company PCs

Remote Access applications (LogMeIn, GoToMyPC, PC Anywhere, etc) are great tools to provide remote access to your company IT resources. But they are also very dangerous back doors into your systems that MUST be viciously controlled. See my October 2011 newsletter, "Remote Access Alternatives to VPNs", for details.

The PM company didn’t know users had set up Remote Access applications on their PCs (we found a few), and they had no systems in place to govern the installation and use of these applications.

This successful hack started by accessing one of these PCs via a Remote Access application. Once they had access to the PC, they could take their time trying to gain administrator access to the servers and data systems, which they eventually did.

Since the attack started inside the network (the hacker was sitting on an internal PC via remote access), none of the typical tools (Firewall logs, Intrusion Detection, etc) can see the attack, so it can operate undetected for months. Regularly reviewing server security logs can reveal this type of activity, but no one was monitoring their server.

No Governance for Installing/Using Remote Access

The PM Company didn’t know staff had installed Remote Access apps on Company PCs, and the staff didn’t know that they shouldn’t install the apps. As there was no policy in place to govern or prohibit this activity, staff were allowed to set up these dangerous back doors by default.

Here’s where your Company IT Use & Abuse Policy comes into play. This policy details everything a user can and cannot do with regards to Company computing resources. A well written and properly distributed IT Use and Abuse Policy can save you from litigation, employee abuse, and wasted resources. I discuss IT Use and Abuse Policies in detail in my January 2012 newsletter.

In the case of Remote Access, the IT Use and Abuse Policy should explicitly prohibit the use of Remote Access apps without specific written permissions, delegated to very specific employees. If you haven’t told them they can’t, you can have no expectations that they won’t!

Secure Network Passwords not Required/Enforced

The PM Company didn’t require or enforce the use of Secure Network Passwords (or secure PC passwords if not using a domain). The user had a very simple password that was very easy to guess. Once the hacker got to this user’s PC log-in screen via the Remote Access app, he probably got into the PC (and onto the network) with very few attempts.

A secure password is one meeting specific criteria that makes cracking the password nearly impossible. You should include a secure password requirement in your IT Use and Abuse Policy. If you have a domain, you can automatically enforce the use of secure passwords. See my November 2011 newsletter, “Secure Passwords”, for details on creating secure passwords that are easy to remember, and setting up secure password enforcement

Administrative Access

Fortunately, this user account did not have Administrative Account permissions. If it did, the hacker would have gained full access just by determining this user’s very easily guessed credentials.

Unfortunately, the Domain Admin account had a password that was relatively easy to crack, which the hacker did. He then “owned” all the servers in the Company.

Secure Passwords are absolutely critical for the admin accounts and any user accounts having administrator privileges. And, you should limit providing administrative access to those very few who really need it. See my May 2012 newsletter, “Protect Your Admin Accounts”, for details.

Remote Access Account Password

You have little control over this, as this account is outside of your environment. You can and should, however, insist on the use of a secure password on any remote access account used to access a Company computing resource. Also insist that the remote access account password be different from the user’s network password.

These requirements should be clearly described in a Remote Access Policy.

The user whose remote access account was used to gain entry to the PM Company’s servers did have a different password than the user’s network account, but it was equally easy to guess/crack.

Remote Access Policy

Your IT Use and Abuse Policy should expressly prohibit the installation and use of these Remote Access apps on any Company computing device without written permission from senior management.

The written permission process should require that the employee acknowledge and sign a special “Remote Access Policy” indicating that the employee will comply with the terms therein.

Everything discussed in this article should be included in your Remote Access Policy, including:

  • The specific machine the staff can remotely connect to
  • A secure password is required on the remote access account
  • A secure password is required on the user’s network account
  • The remote access account password must be different from the user’s network password
  • Users cannot share the remote access account credentials with anyone
  • Failure to comply will result in disciplinary action which can include termination


If the PM Company had an IT Use and Abuse Policy in place, the staff would have known Remote Access apps were prohibited without proper authorization. If they also had a Remote Access Policy in place, the users would have to have used proper precautions and procedures, and the hack wouldn’t have happened.

Take the time to establish and distribute policies to educate your staff and protect your Company before spending ten times as much time, energy, and expense on Damage Control.

If you have any questions concerning creating these policies, protecting your Company from Remote Access applications, or any other topics concerning securing your environment, I’d be happy to discuss them with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

Next month I’ll discuss Best Practices for safely using unsecured Public WIFI.