Over the last several months we have worked a ton of incidents where compromise of systems and networks was accomplished via Internet exposed terminal servers, VNC and other remote access applications. Often, these same administration-friendly tools are used in internal compromises as well. While there is certainly a value in terminal server and VNC, they can be configured and your implementations hardened to minimize the chances of attack and compromise.
Careful consideration should be given to having any form of remote desktop access Internet exposed. Attackers are very good at slow and low password grinds, social engineering and other techniques that make these exposures good targets for gateways into an environment. Unless you have a serious plan for managing the risk and you have excellent levels of controls, raw exposures of these tools to the Internet should be avoided. If you need to use them for remote access, consider some form of IP address restriction, authentication at a router for dynamic ACLs or forcing a VPN connection to gain access to them. Neither terminal server or VNC should be considered a replacement for a robust VPN and with tools like OpenVPN offering free or low cost alternatives, it is just silly to not leverage them over simple port exposures.
Even if you do not Internet expose your terminal servers, it is likely a great idea to make sure that they are hardened. Here is a great powerpoint that covers hardening both terminal servers and Citrix deployments. You can also find more guidance in the CIS baseline tools and documents. There are several good documents around the net for hardening TS in line with various baselines.
VNC can also be configured to be more secure than a “base install”. Starting with which VNC implementation you run, UltraVNC and TightVNC have some very powerful security configurations that can help you minimize your risks. Choosing stronger authentication mechanisms and implementing IP address controls, even inside, can really help you keep an attacker from running “hog wild”, even if they do gain some sort of user access or compromise a workstation with a bot-net client. Consider the use of “jump boxes” dedicated to being the terminal server or VNC gateway to all other machines. If you implement these “choke points” then you can uber-harden them and monitor them closely for bad behaviors and be assured that without accessing them, an attacker can’t easily use your remote access servers against you.
Just take a few moments and think it through. Sure these tools make it easy for admins. It makes it convenient for them to do their work and admin remote machines, but it also makes it easy for an attacker. Hardening these tools and your architecture is a great way to achieve that balance between usability and security. You can get work done, but you can do so knowing that you have enough controls in place to make sure that it really is you who is doing the work.