Limit remote access to what is strictly necessary

Remote access is a 'necessary' weakening of security. It needs to be restricted to approved users and to necessary resources.

'Least privilege' is a fundamental security principle that means giving users what they need, but no more than that. It is equally valid for remote access, which must be the exception and not the norm.