What You Really Want From Remote Access
People who work from home often create complex and detrimental security issues for their system administrators. What’s needed are procedures for hardening the end user’s system to avoid security breaches, and providing remote workers with the ability to print from their company notebooks to their local printers over Terminal Services. For starters, it’s assumed that the user has antivirus, malware and spyware protection; if not, then that needs to be rectified.
One thing I see regularly when people have more than one computer at home is that they buy a wireless router or hub device, plug it in and use it with default settings. This creates wide-open wireless access, which lets anyone connect to the router’s admin page without a security key or a password (or with a default password — such as “password”). Here’s how to remedy this problem.
1. Make sure the provider’s modem is secure. I usually recommend that users buy their own cable modem so that they can set it up themselves and apply strong admin passwords. I like the D-link High-Speed DOCSIS 2.0 Cable Modem. I was amazed at the improvement in speed compared with the service provider’s units.
If you are running DSL, the DSL modem can usually be accessed directly for setting a stronger password. The DSL provider is often happy to help. Fiber subscribers might not have a modem; Internet access comes through the interface box, which is where the fiber converts locally to copper. In that case, don’t even think of connecting without a hardware firewall. If you’re using a wireless router supplied by your service provider, make sure you have access to the router’s admin functions so you can add Wired Equivalent Privacy (WEP) keys, admin passwords and custom configurations. But I still recommend forgoing the freebie and buying your own.
2. Get a firewall/router/hub device. Running broadband without a firewall is like running through a briar patch without your pants — generally a bad idea. Most of these devices come with a wireless access point built in. If so, make sure you change the admin passwords and wireless network ID (service set identifier, or SSID) and add a WEP key. And — most important — write it down and put it where you won’t lose it!
One of the best units I’ve seen is the Netgear FWG114P ProSafe 802.11g Wireless Firewall with USB print server. The USB print server will resolve many printing issues that plague remote users. Print servers also solve problems that crop up in mixed environments that use XP and Vista.
You also will need to configure your router’s Dynamic Host Configuration Protocol settings. Most routers will allow DHCP assignments over the entire subnet; for example, assign IP address range: [192.168.1.3] to [192.168.1.254]. Unless you want 250 people connecting to your home network, you need to change that upper limit to [192.168.1.20]. You should do this because you are going to hard-set the IP address of the main PC on your network.
But first, read through the user’s manual and make sure you’ve set all the passwords for the router. Some have both an admin password and a user password. Make sure you set these to something that’s not easy to guess. I also recommend turning off remote configuration. That closes a big security hole.
3. Hard-set the IP address of the main PC. Most home networks have one PC that is connected directly to the printer. This is the machine in which you will hard-set the IP address. I also recommend connecting this machine directly to the wireless router/hub to eliminate certain logistical issues.
Set the IP address by going to Start – Settings – Control Panel – Network Connections. You’ll see two or three choices. Right click on Local Area Connection, choose properties, go to Internet Protocol (TCP/IP) and set the IP address to be just outside of the upper range that you set in step 2. If the upper range is [192.168.1.20], set your machine to be [192.168.1.30].
Then write down the settings. You are going to need this info to set up remote printing later on. Also remember to stay within your router’s subnet. If it’s [192.168.1.1], you need to stay within [192.168.1.x], or if it’s [192.168.0.1], you need to stay within [192.168.0.x], where “x” equals any IP address outside of the dynamically assigned range you just set (up to .254). Your default or primary DNS setting will be the router’s IP address, typically [xxx.xxx.xxx.1], or in this case, [192.168.1.1].
4. Share your printer. On the main PC, pick a printer to share with users on your network. For example, I have a laser printer and a color ink jet. I prefer sharing the laser printer because it costs less to use. Go into Start – Settings – Printers, find the printer and click Sharing. Go through the wizard and assign the printer a short, simple name that’s easy to remember, such as HPLaser. This will be the share name of the printer for users on your network. It will appear as <computer IP address><Printername>. Using the examples here, it will be \\192.168.1.30\HPLaser.
Remember that to print from other desktops or notebooks on your network, the main PC needs to be on. If you purchased a router/hub with a print server built in, you might want to use that to avoid having the dedicated PC running at all times.
5. Make sure the software firewall is turned off on your main PC. You’ve already set up the hardware firewall on your system, so you need to turn off the software firewall in Windows and the antivirus firewall or you won’t be able to connect to the shared resources, such as the printer or any shared directories. But don’t worry — you’re safe, especially if you followed the directions to this point. (Besides, relying on the Windows software firewall is like trying to stop a herd of buffalo with yellow caution tape.)
Now that you’ve made all the preliminary network and computer settings, you have a reasonably secure setup from which you can remotely access your company network without opening the doors to anyone who stumbles onto your home network. Now, let’s set up the company notebook for printing.
We will assume that the company notebook has some kind of VPN or prearranged Terminal Services setup. (If your workplace uses Citrix, you might need some additional configuration that is not covered here.)
1. Establish a wireless connection from the work notebook to your home network. Make certain that you are connected to your own network and not picking up a neighbor’s unsecured signal. You’ll need the WEP key you set up earlier. After the connection is established, make sure you have Internet access.
2. Install your home network’s shared printer onto your work notebook. This is where that built-in print server on the router/hub might come in very handy. But in place of that, if you’ve stuck with me so far, this will be a snap.
Go into Start – Settings – Printers and add a printer. Click Next and pick a network printer, then click Next again. Select Connect to this printer (or browse …). Type the IP address and printer name that you set up earlier; for example, \\192.168.1.30\HPLaser. Have the print-driver CD at hand in case you need it. If you are asked for a password to log into the printer, it’s the user name and password for the system that is sharing out the printer. If there is no password for the user name, just leave that blank, but check the box that says “Remember This Password” whether there is one or not. (If you add or change the password later, you will need to repeat this step to reconnect the printer with new credentials.)
3. Test it. At this point, we will assume everything has gone smoothly. Go to Start – Settings – Printers and look for the newly installed printer. Right click it, and choose Print a test page. Be patient — wireless printing takes a little longer. If you see that test page shoot out after a couple minutes, you’re good to go.
4. Connect to your company’s Terminal Services. Once connected on your remote desktop, go to Start – Settings – Printers and you should see your remote printer listed as a session remote printer. You can try doing a test print from there, too. Keep in mind that when you do a remote print, the larger the file size, the longer it will take to print locally (this is especially true for PDF files that are scanned rather than converted directly from Word documents). If you don’t see your printer on the remote session, the systems administrator of the remote system needs to add a driver to the Terminal Services machine specifically for your printer. To make their life easier, give them the make and model of your printer and a copy of the print-driver CD.
With all systems, there are exceptions. Some printers are not directly compatible with Terminal Services; there is third-party software available to compensate for this. Microsoft also recommends using a Citrix layer for midsize to large enterprises, which will address many Terminal Services shortcomings.
Good luck, and happy printing.
Jeff Gross is network administrator at Tucker Industries in Bensalem, Pa.