How to Conduct a Thorough PC Remote Permissions Audit (Template Included)

Quick Guide: Running a PC Remote Permissions Audit in Windows and macOS

Keeping remote permissions properly configured is critical to security and operational control. This quick guide shows step-by-step how to audit remote access permissions on Windows and macOS systems, what to check, and how to remediate common issues.

1. Scope and objectives

• Goal: Verify who can remotely access each PC, how they authenticate, and whether permissions follow least-privilege.
• Scope: Include RDP, Remote Assistance, SSH, VNC, Apple Remote Desktop (ARD), screen sharing, remote management tools (TeamViewer, AnyDesk), and remote execution endpoints (WinRM, PSRemoting).
• Deliverable: For each machine, a short report listing enabled remote services, authorized accounts/groups, authentication methods, and recommended fixes.

2. Preparation

• Inventory: Use your asset list or run network discovery to list target hosts. Assume checking Windows and macOS desktops/laptops first.
• Credentials: Ensure you have an account with local admin (or equivalent) access and enable secure auditing client-side (Event Log/Unified Log).
• Tools: Built-in system tools (PowerShell, Event Viewer, System Preferences), command-line clients (ssh, netstat), and optional third-party scanners (Nmap, PowerShell Remoting, Jamf, PDQ Deploy). Prefer read-only queries where possible.

3. Windows: Audit steps

1. Check remote services status

   • RDP: Query RDP status
     • PowerShell: Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name fDenyTSConnections
       • 0 = RDP enabled, 1 = disabled.
   • Remote Assistance:
     • Registry: HKLM\System\CurrentControlSet\Control\Remote Assistance keys (e.g., fAllowToGetHelp).
   • WinRM/PSRemoting:
     • winrm enumerate winrm/config/listener and Get-Item WSMan:\localhost\Service\Auth*
   • VNC/third-party: look for known service names in Services list or installed programs.

2. List authorized accounts/groups

   • RDP: Check local group membership for “Remote Desktop Users”:
     • PowerShell: Get-LocalGroupMember -Name ‘Remote Desktop Users’
   • Remote Assistance: check authorized helpers via Group Policy or registry and Event Viewer logs.
   • WinRM/PSRemoting: check WinRM listener bindings and firewall rules permitting remote management.
   • Services: Identify which accounts services run as (Services.msc or Get-WmiObject Win32_Service | select Name,StartName).

3. Verify authentication and network restrictions

   • Check NLA (Network Level Authentication): Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name UserAuthentication (1 = NLA enabled).
   • Confirm firewall rules: Get-NetFirewallRule -DisplayGroup ‘Remote Desktop’ | Get-NetFirewallAddressFilter
   • Review RDP encryption and restricted hosts via Group Policy.

4. Review logs for remote access events

   • Event Viewer: Security logs — look for Event IDs 4624 (logon), 4625 (failed logon), 4634 (logoff), 4648 (explicit credentials).
   • TerminalServices-RemoteConnectionManager and RemoteDesktopServices-RdpCoreTS operational logs for RDP-specific events.

5. Report findings and remediate

   • Common issues: RDP enabled with Administrator accounts allowed, weak group membership, NLA disabled, unnecessary services running, overly permissive firewall rules.
   • Remediation actions: Disable unused remote services, remove broad group memberships, enable NLA, restrict allowed users, apply firewall rules limiting sources, enforce MFA and strong passwords, and patch remote access software.

4. macOS: Audit steps

1. Check remote services status

   • Screen Sharing / Remote Management (ARD):
     • Command: systemsetup -getremotelogin (for SSH) and kickstart or system_profiler SPRemoteManagementDataType for ARD.
     • SSH: systemsetup -getremotelogin or sudo systemsetup -setremotelogin on|off.
   • Screen Sharing: launchctl list | grep screensharing and check Sharing preferences plist: /Library/Preferences/com.apple.RemoteManagement.plist and /System/Library/LaunchDaemons/ entries.
   • Third-party tools: check running processes and installed apps (Activity Monitor, ps aux, /Applications).

2. List authorized accounts/groups

   • Screen Sharing and Remote Management: check authorized users in Sharing preferences or:
     • dscl . -read /Users/username and dscl . -read /Groups/com.apple.access_ssh for SSH group membership.
     • ARD permissions: inspect /Library/Preferences/com.apple.RemoteManagement.plist and use kickstart -showusers.
   • Verify if accounts are admin-level or standard.

3. Verify authentication and network restrictions

   • Confirm SSH uses key-based auth where possible: inspect /etc/ssh/sshd_config for PasswordAuthentication no and PermitRootLogin no.
   • Firewall and Remote Management restrictions: Check PF rules (pfctl -s rules) and Application Firewall (/usr/libexec/ApplicationFirewall/socketfilterfw –listapps).
   • Check if Screen Sharing requires VNC password (insecure) vs. macOS user authentication.

4. Review logs

   • Unified log: log show –predicate ‘subsystem == “com.apple.screensharing” or process == “sshd”’ –last 7d
   • /var/log/system.log for older versions and records of remote sessions and failed logins.

5. Report findings and remediate

   • Common issues: SSH with password auth enabled, VNC password set or weak, admin accounts allowed for remote control, unnecessary remote management enabled.
   • Remediation: Disable unused services, prefer SSH keys, disable VNC password in favor of user auth, restrict allowed users, enable macOS firewall rules, and enforce strong account policies.

5. Quick checklist (apply to both platforms)

• Service inventory: List enabled remote services.
• Authorized users: Confirm least-privilege; remove unnecessary accounts.
• Authentication: Enforce NLA (Windows), SSH key auth (macOS), disable password-only auth.
• Network controls: Restrict source IPs, use VPNs, tighten firewall rules.
• Logging: Ensure remote access events are logged and forwarded to SIEM.
• Patching: Update remote access software and OS.
• MFA: Enforce multi-factor authentication for remote sessions where possible.
• Documentation: Record changes, owners, and review cadence (quarterly).

6. Automation and ongoing monitoring

• Use configuration management (Group Policy, Intune, Jamf) to enforce settings.
• Schedule automated scans (PowerShell scripts, Nmap, vulnerability scanners) and ingest logs into a central SIEM.
• Build alerting for anomalous remote logins and new remote services appearing.

7. Example Windows PowerShell snippets

• Check RDP enabled:

powershell
Copy CodeCopied
(Get-ItemProperty -Path ‘HKLM:\System\CurrentControlSet\Control\Terminal Server’ -Name fDenyTSConnections).fDenyTSConnections 

• List Remote Desktop Users:

powershell
Copy CodeCopied
Get-LocalGroupMember -Name ‘Remote Desktop Users’

8. Example macOS commands

• Check SSH (Remote Login) status:

bash
Copy CodeCopied
systemsetup -getremotelogin 

• Show recent screen sharing log entries:

bash
Copy CodeCopied
log show –predicate ‘subsystem == “com.apple.screensharing”’ –last 7d 

Final notes

Run this audit regularly (quarterly or after major changes). Prioritize systems where remote permissions expose high-value assets and apply immediate fixes for administrative accounts with remote access.