The Trouble with Remote Access
Remote access protocols are certainly one of the long-standing topics discussed when it comes to information security. Most security practitioners have had to deal with the threats and risks posed by the wide range of protocols used to remotely manage and access systems, including Telnet, SSH, RDP, and even third-party providers such as GoToMyPC. Convenience is heavily weighed against security, as users and administrators require access to the systems, yet security in the forms of authentication and encryption seemingly "get in the way." This debate has come up in my career more times than I care to remember. When I first set out to help make systems more secure, one of the first actions I proposed was to remove Telnet from all of my UNIX (Solaris and Linux at the time) systems. Turns out it was a valuable lesson for me as I learned that while technically not so challenging, convincing 25 or more developers that they had to use an SSH client rather than the built-in Telnet utility was the most challenging aspect of that project.
The same debate occurred later in my career when I was tasked with helping the newly-created Windows systems administrators group secure their brand-new Windows domain environment. I had a similar conversation about Microsoft Terminal Services, which uses the RDP (Remote Desktop Protocol). At the time, in the default configuration, an attacker could perform MiTM attacks to obtain the username and password, in addition to logging the keystrokes sent to the systems being managed. Again, technically there was an easy fix (change some settings on the servers, and use a compatible client on the management systems). However, the real challenge was persuading the administrators to make the switch, as they had always just used the default configuration and, by their own account, "nothing bad ever happened." In this case, I had to use a demo and perform an attack, with permission, of course, against an administrator. Once they saw it, the progression to a properly-configured and more secure RDP implementation was underway immediately.