How to use "Shin Telework System" more safely
Open the "Security Settings" screen from the Server Settings app
There is a setting field for one-time password in the upper right, so click the [Set one-time password (OTP) function] button there.
When the one-time password setting dialog is displayed as shown below, check "Enable one-time password (OTP) authentication function" and enter the email address to which the authentication code will be sent. please.
Only the owner of this email address will be able to connect to this PC remotely, so be careful not to make a mistake. In addition, the "emergency OTP alternative code" listed at the bottom is a code that can be used urgently if the verification code is not received for some reason. Make a note of it and keep it in a safe place so that it will not be known to others.
Click the [OK] button to complete the one-time password setting.
Next, let's start the client software of the thin telework system from the remote PC and connect it to the server-side PC. When the connection is started, the following screen will be displayed asking you to enter the one-time password.
Then, you should receive an email with the following text to the email address you specified. The 6-digit number written in this email is the verification code.
If you enter the correct verification code, you can proceed to password verification as usual.
One-time passwords are easy to install, but they have a great effect on improving security, so we recommend that you install them.
Allow only secure clients to connect
Along with the one-time password, another setting I would like to introduce is "client quarantine". This is a function that refuses the connection if the client's PC is not operated securely. Secure operation in this case means that anti-virus software is installed and the real-time protection function is enabled, and that the latest security patch is applied by Windows Update.
To enable client quarantine, check the "Implement client quarantine" item in the "Client terminal security check function" field on the security settings screen. Click the [OK] button to apply the settings.
When I tried to connect with the anti-virus software of the client PC disabled, the following message was displayed and the connection was rejected.
Remote connection from a PC that is not operated securely also puts the PC on the server side at risk. To avoid such risks, it is recommended to enable this setting as much as possible.
Allow only authorized PCs to connect
If you want to operate Remote Desktop more safely, limit the connection so that only PCs that are authorized in advance can connect. To do this, use "MAC address authentication". The MAC address is a unique ID set for the network device attached to the PC. Since it is given at the stage of shipment from the factory so that it will not be the same ID all over the world, the specification is such that if you know the MAC address, you can always identify one terminal.
In the thin telework system, you can specify the MAC address of the client PC that can be connected in the server-side settings. When there is a connection request, check the MAC address of the client PC and verify that it matches the MAC address that is allowed to connect.
To use MAC address authentication, you first need to know the MAC address of the client PC used for connection. To find out the MAC address in Windows, first select [All Control Panel Items]-[Network Connections] in the control panel to display the list of network adapters as shown below.
Select the network you normally use to connect to the Internet and double-click it to display the network connection status as shown below.
If you click the [Details] button here, detailed information such as IP will be displayed as shown below. The 12-digit character string written as "Physical address" is the MAC address. In many cases, two characters are displayed separately with a hyphen (-) or colon (:).
Once you know the MAC address of the client PC, let's set it on the server side. To enable MAC address authentication, check the "Client MAC address authentication" item in the "Client terminal security check function" column of the security setting screen, and click [Register connection permitted MAC address] next to it. Click the button.
The MAC address registration screen will be displayed as shown below, so enter the MAC address of the client PC that allows connection. You can specify multiple MAC addresses to allow, separated by line breaks.
This completes the settings. If you make a connection from an unauthorized client PC with MAC address authentication enabled, the following message will be displayed and the connection will be refused.
If you enable MAC address authentication, the connection from the Web client will also be rejected as follows. This is because the MAC address of the terminal cannot be obtained with the Web client.
Therefore, the Web client of the thin telework system has an option to use the MAC address virtually. At the bottom of the web client screen, there is an item called "Virtual MAC Address".
By entering any 12-digit string here, you can use it as a virtual MAC address. Of course, you can only connect to a MAC address that is on the server-side allow list.
MAC address authentication is extremely effective in cases where only a specific PC is used as a client PC. For security reasons, it is recommended to limit access to company PCs to specific PCs, so it can be said that MAC address authentication should also be enabled.
More security options
In addition to the options introduced here, the thin telework system has options for stronger security. Of particular interest is authentication using My Number Card. Next time, I will cover those authentication methods that have been taken to the next level.