Educause Security Discussion mailing list archives
Re: Remote Acceses Policies - VPN vs Desktop Access
From: "Witmer, Robert" <r.witmer () SNHU EDU>
Date: Thu, 25 Mar 2010 15:27:45 -0400
Remote access to desktops was permitted as required (by individual) in the past via VPN tunnels. The business driver was usually host access. We now have a terminal server (Citrix like) solution where staff (by individual) can get to the hosts required, but not to their desktops. We are dissolving the remote desktop access as quickly as possible. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, Gary Sent: Thursday, March 25, 2010 1:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Remote Acceses Policies - VPN vs Desktop Access Our remote access policy encourages people to use our VPN rather than requesting direct exposure of a desktop to the Internet and includes some recommendations about configuration such as providing separate accounts for each user, strong passwords, and use of encryption. But not much more. In any case, it needs to be updated. Most people that connect to our VPN, regardless of role, cannot access certain resources. To access those resources remotely through the VPN, an individual has to go through a fairly restrictive approval process. The desire is to keep the off-campus attack surface low and make sure the approved person is using a university owned and maintained computer at home to perform the work. But many people are able to access the restricted resources from their campus desktop. This means they can access the resources from off-campus if they remote into their desktop bypassing the intent of the VPN policy. There is a desire to make the remote access environment enforce access policies that match the VPN access policies. I suppose one way to do that would be to identify the computers of everyone with an account on the restricted resources and deny remote access to their computers. But we're talking about a lot of people. And this discussion has widened into accessing other sensitive systems through the same mechanism. Do you place any restrictions on remote access to desktops if they're coming through your VPN? For example, Windows Remote Desktop, VNC, PC Anywhere, SSH, X Windows, etc.? Or perhaps not through your VPN (GoToMyPC.com, LogMeIn.com, etc.)? (Am I missing any major ones?) By role, identity, access rights, or computer? Thoughts? Gary Flynn Security Engineer James Madison University Please consider the environment before printing this e-mail.
Current thread:
- Remote Acceses Policies - VPN vs Desktop Access Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: Remote Acceses Policies - VPN vs Desktop Access Vik Solem (Mar 25)
- Re: Remote Acceses Policies - VPN vs Desktop Access Witmer, Robert (Mar 25)
- Re: Remote Acceses Policies - VPN vs Desktop Access Flynn, Gary (Mar 25)