Introduction to Remote Access for MSPs
In the past, businesses almost always hired an in-house IT professional to maintain their networks. These professionals had to be on location to resolve any issues when they arose. When the IT professional was unavailable, businesses were forced to deal with lengthy downtimes waiting for help.
That all changed with the development of remote access tools.
Remote access tools have opened doors for network administrators to offer quicker, more efficient support to end-users. It has also become easier for businesses to hire managed service providers to support their network as effectively as a full-time staff member. MSPs equipped with remote access to supported networks are able to offer complete support at a much lower cost than a full-time employee.
This overview will cover more than just the benefits of remote access. We will explain what scripting tools are and what they can do in terms of remote access. Best practices will be discussed as well, including protecting end-user privacy and the appropriate use of remote devices. We will also cover the crucial topic of security, and how it applies to remote access.
Benefits of Remote Access
The benefits of remote access are fairly obvious. That being said, it's important to have an understanding of them and how to communicate these benefits. These benefits apply to full-time network administrators and managed service providers alike.
Quick Response Times
Remote access tools help administrators respond to issues as quickly as possible. Rather than having to be on-site to resolve issues, many situations can be handled with remote tools. Often times, these tools can be administered from laptops, tablets, or even mobile phones. Administrators can be on call 24/7, without having to come to the office.
Downtime has a real-time financial effect. Remote access gives businesses the option to resolve issues faster and get things back up and running more quickly than ever. Businesses that are seeking cost savings in hiring a managed service provider are able to do so without sacrificing quality thanks to remote access tools.
Any Device, Any Location
As discussed previously, remote access tools can be administered by many different types of devices. Furthermore, they can also support these different types of devices as well. Remote access isn't limited only to servers; client devices can be controlled as well. This includes mobile devices as well as PCs. Remote support can be offered in the office or on the go. Location is not a limitation.
Remote control doesn't mean just active administration. Network technicians can automate administration with a number of different tools. Some of these tools, such as WSUS, Group Policy, and Powershell, are embedded within operating systems. In other cases, third-party tools can be used. To know which tool is best to use, administrators must understand the situation that they are in and decide appropriately.
There are a number of programs embedded in the Windows operating system that administrators use as valuable network management tools. Here's a quick breakdown of each of them, and what they have to offer.
- Windows Server Update Services (WSUS). This service, as indicated by its name, is used for remotely managing operating system updates. Rather than having to run updates on every device in your network, WSUS can be used to download and push updates from a central server. This is used to have an understanding of what updates are being pushed to your devices. It can also be used to schedule your updates appropriately.
- Group Policy. This service is used for managing many different Windows PC configurations from a central server. Administrators may choose to change the settings for each device individually or choose to push out global updates to all devices.
- PowerShell. This tool can be used to send commands and tasks to different PCs on your network. Like Group Policy, this tool allows you to run tasks from a central server, rather than having to run these commands from individual PCs.
Further reading Top 10 PowerShell Commands Every IT Admin Should Know
- Making a new firewall rule
- Restarting the server or computer
- Restating certain services
- Checking the status of the service, and more
For users who want to move past what native operating system tools offer, there are a number of different third-party tools for remote access. Here's what to consider when choosing a third-party remote access software package.
- Cost. Make sure you are able to distinguish the bottom line on pricing. Some options have a one-time cost, while others charge a monthly or yearly fee. Some charge per-user, others charge for the entire package.
- Features. Understand what your needs are and what each third-party software provider offers. Some are better for server administration, while others are tailored for end-user interaction. Make sure that your needs are met by the offering you choose.
- Functionality. Read user reviews on each product to find out if the software products that you are shopping for are appreciated by their users. Read through the support offerings as well so that you know where to go when you run into issues.
It's a good idea to weigh all of these things with equal importance. Free native options, such as Remote Desktop Protocol (RDP), are popular because of pricing. This doesn't mean they are the best option, however. The features and functionality in some of the third-party options are generally worth the price.
Remote Access Best Practices
Allowing remote access into a PC or server opens any system up to privacy issues. While it is important for the end-users to be concerned about their own privacy, it's also necessary for network professionals and MSPs to follow a set of best practices to protect the rights of their clients.
Offering your end-users the privacy that they deserve is as important professionally as it is legally. Here are a few rules to follow.
- Notify users before access. Even if you have unattended access to a user's PC, you should notify them before access. This gives the user the opportunity to close out of any private information that they may have on their screen.
- Disconnect when finished. When your work is complete, disconnect from the end-user's workstation. Staying connected longer than needed can cause the end-user to let their guard down prematurely.
- Do not collect any data without permission. Even if the data is just for troubleshooting purposes, don't collect any data from a user's PC without first requesting permission. You never know if you are taking something that they aren't interested in sharing.
To be able to manage a network effectively, it's important to gain an appropriate level of trust with end-users. Along with being a good business practice, there are legal ramifications if user security is violated.
Appropriate Use for Server Management
Network administrators and managed service providers will be accessing unmanned servers just as much as they work with end-user workstations. When working on servers remotely, it’s important that they are managed appropriately.
You should treat data stored on a server with care, never compromising a business’s data security. Any scripts or patches that will affect production servers should be run or installed when most convenient for the client. Whenever possible, schedule any required down-time for off-hours periods. When that isn’t possible, end-users must be notified before you proceed.
Similar to privacy concerns, enabling remote access on your network increases your potential surface for attack from would-be hackers. It’s crucial to take a second look at all of your firewall configurations to be sure that nothing is opened up unnecessarily. User authentication practices should be reviewed, locked down and enforced appropriately.
Firewall best practices can get a little redundant at times, but their importance is vital. Here are a few rules to follow to be sure that you are configuring your firewall appropriately.
- Only open the ports that are necessary. When troubleshooting remote access issues, it is often easy to open up ports to be sure that access isn’t being blocked. This can create a vulnerability in your network. Be sure that you aren’t leaving any ports open that aren’t needed.
- Lock access down to source IP addresses. It’s good practice to know where your remote access requests are coming from. If possible, figure out the source IP addresses of your remote access inquiries and create rules that only allow that access in from those specific addresses.
- Log access authentications. All of the access in and out of your servers should be logged. When remote access traffic is allowed to pass through your firewall, logs should be created so that administrators can look back and verify that the access was appropriate.
User authentication rules for remote access aren’t very different than the access rules that you should already be enforcing. Nonetheless, enabling remote access should give you another reason to walk through all of your authentication policies again to make sure they are appropriate, and that they are being enforced effectively.
The most important rule is the principle of least privilege. Only grant remote access to those users and administrators who need it. Furthermore, if possible, only allow access to what’s needed, and deny access to anything that isn’t necessary.
Remote access makes everyone's jobs easier. For end-users, it gives them the ability to take work home. For managed service providers, it gives access to support users remotely, just as if they were sitting at a PC with the end-user, along with many other benefits of remote access. For server administrators, the ability to use services to automate update processes, software installations, and settings changes make them much more effective at their jobs.
There are a lot of considerations to be weighed when diving into the world of remote access. Decision-makers must make determinations on the best remote access tools for their company. They must also decide on who is to be allowed access, and how much access needs to be provided. Network administrators and managed service providers need to consider the security and privacy needs of those who they are supporting as well.