Remote Access Configuration Requirements
1. Remote access services
1.1 Employ centrally managed remote access services that encrypt data in transit in accordance with the Canadian Centre for Cyber Security (Cyber Centre’s) Guidance on Securely Configuring Network Protocols (ITSP.40.062) and Cryptographic Algorithms for Unclassified, Protected A, and Protected B Information (ITSP.40.111) to protect the confidentiality and integrity of information as it travels over an untrusted network such as the Internet or other network external to the GC enterprise network.
1.2 Configure remote access services to use GC-approved pathways to the Internet. A GC-approved pathway to the Internet enforces security measures, including protective domain name system (DNS) services, network security services from Shared Services Canada, and cyber defence services from the Cyber Centre.
1.3 Disable split tunnelling except for domains that are included in the list approved by the GC Enterprise Architecture Review Board.
1.4 Authenticate all users of remote access services with phishing-resistant multi-factor authentication methods in accordance with the Account Management Configuration Requirements and the Government of Canada (GC) Guideline on Multi-Factor Authentication (MFA): Technical Recommendations for Authenticators to Support MFA Within the GC Enterprise Domain.
1.5 Implement GC-approved endpoint management configurations for all remote access devices.
1.6 Perform posture assessment for remote access connections prior to authorizing access to the GC enterprise network by verifying compliance for:
- 1.6.1 Up-to-date operating system and installed applications;
- 1.6.2 Up-to-date anti-malware protection; and
- 1.6.3 Validation of a GC-owned and GC-managed device.
2. Remote access infrastructure security
2.1 Configure remote access systems in accordance with the GC’s System Management Configuration Requirements and Security Considerations for Edge Devices (ITSM.80.101).
2.2 Harden remote access systems and devices, including operating systems and applications, to provide only essential capabilities in accordance with the Cyber Centre’s Top 10 IT Security Actions: Number 4 Harden Operating Systems and Applications (ITSM.10.090) and vendor hardening guides.
2.3 Deploy remote access services in network zones that mediate access between operational GC systems and the public zone, in accordance with the Cyber Centre’s Baseline Security Requirements for Network Security Zones (Version 2.0): ITSP.80.022 and Network Security Zoning: Design Considerations for Placement of Services Within Zones (ITSG-38).
2.4 Restrict administrative access to remote access systems from dedicated internal or out-of-band management networks that use hardened hosts.
2.5 Use strong, phishing-resistant multi-factor authentication (MFA) for all administrative access to remote access devices in accordance with the Account Management Configuration Requirements and the Government of Canada (GC) Guideline on Multi-Factor Authentication (MFA): Technical Recommendations for Authenticators to Support MFA Within the GC Enterprise Domain.
3. Systems management
3.1 Maintain an inventory of remote access devices and manage the life cycle of any devices that are at end of life with a plan to remove or replace them before end of life occurs.
3.2 Subscribe to security notifications from the remote access device’s vendor and to advisories provided by the Cyber Centre.
3.3 Actively patch all software applications, hardware and firmware installed on IT assets that enable remote access and support infrastructure services in accordance with the GC’s Patch Management Guidance.
3.4 Routinely review security rules, security configurations and access controls configured on remote access devices for relevancy.
4. Monitoring
4.1 Configure logging for remote access systems and devices in accordance with the GC’s Event Logging Guidance, including:
- 4.1.1 User activity, including authentication and access attempts;
- 4.1.2 Anomalous network traffic, including large transfers to unknown Internet Protocol (IP) addresses;
- 4.1.3 Successful administrative log-ons, configuration changes and hardware changes; and
- 4.1.4 Unauthorized access or changes to remote access system configurations.
4.2 Forward event logs that are protected from unauthorized modification and deletion using the Cyber Centre’s approved cryptographic safeguards to a central logging facility for processing, storage, monitoring and analysis.