Educause Security Discussion mailing list archives

Re: Remote Acceses Policies - VPN vs Desktop Access

From: "Witmer, Robert" <r.witmer () SNHU EDU>
Date: Thu, 25 Mar 2010 15:27:45 -0400

Remote access to desktops was permitted as required (by individual) in the past via VPN tunnels.  The business driver 
was usually host access.  We now have a terminal server (Citrix like) solution where staff (by individual) can get to 
the hosts required, but not to their desktops.  We are dissolving the remote desktop access as quickly as possible.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, 
Gary
Sent: Thursday, March 25, 2010 1:40 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Remote Acceses Policies - VPN vs Desktop Access

Our remote access policy encourages people to use our VPN rather than requesting
direct exposure of a desktop to the Internet and includes some recommendations
about configuration such as providing separate accounts for each user,
strong passwords, and use of encryption. But not much more. In any case, it
needs to be updated.

Most people that connect to our VPN, regardless of role, cannot access certain
resources. To access those resources remotely through the VPN, an individual
has to go through a fairly restrictive approval process. The desire is to
keep the off-campus attack surface low and make sure the approved person is
using a university owned and maintained computer at home to perform the work.

But many people are able to access the restricted resources from their campus
desktop. This means they can access the resources from off-campus if they
remote into their desktop bypassing the intent of the VPN policy.

There is a desire to make the remote access environment enforce access policies
that match the VPN access policies.

I suppose one way to do that would be to identify the computers of everyone
with an account on the restricted resources and deny remote access to their
computers. But we're talking about a lot of people. And this discussion has
widened into accessing other sensitive systems through the same mechanism.

Do you place any restrictions on remote access to desktops if they're coming
through your VPN? For example, Windows Remote Desktop, VNC, PC Anywhere, SSH,
X Windows, etc.? Or perhaps not through your VPN (GoToMyPC.com, LogMeIn.com, etc.)?
(Am I missing any major ones?)

By role, identity, access rights, or computer?

Thoughts?

Gary Flynn
Security Engineer
James Madison University

Please consider the environment before printing this e-mail.

Current thread:

Remote Acceses Policies - VPN vs Desktop Access Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: Remote Acceses Policies - VPN vs Desktop Access Vik Solem (Mar 25)
- Re: Remote Acceses Policies - VPN vs Desktop Access Witmer, Robert (Mar 25)
- Re: Remote Acceses Policies - VPN vs Desktop Access Flynn, Gary (Mar 25)