[unisog] Remote Access to Staff Desktops
BACHAND, Dave (Info. Tech. Services)
BachandD at easternct.edu
Mon Feb 23 15:03:39 GMT 2009
At Eastern we do a couple of things to support this need.
The first thing is we have a Juniper VPN, which supports Windows RDP.
The second thing we do is pre-define the necessary desktop firewall
exceptions for the Juniper to get to RDP on the desktop via an Active
Directory Group Policy Object. This way the user needs only to enable
RDP and defined themselves as having remote access rights.
No other remote access is allowed.
This way we have control and auditing, and the ease of use is pretty
Information Technology Services
Director of Technical Services
Eastern Connecticut State University
E-mail bachandd at easternct.edu
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Alexander Clouter
Sent: Thursday, February 19, 2009 9:20 AM
To: unisog at lists.sans.org
Subject: Re: [unisog] Remote Access to Staff Desktops
* Tim Lane <tlane at scu.edu.au> [Wed, 18 Feb 2009 15:29:31 +1100]:
> We are receiving an increasing number of requests from staff to
> access their desktops, for a variety of reasons.
> I would be interested in hearing if any other Universities allow this,
> if so how you are providing secure access, or if you have any
> thoughts/comments on the matter.
We are forcing everyone to go dynamically assigned IP so the first
hurdle is to give them a DDNS entry that tracks their workstation.
After that we mention that out network is IPsec 'transparent' so they
can even use preshared key'd IPsec to get to their workstation however
they please and from where-ever.
If people are NAT'ed then they need to be able to work out how to do SSH
port forwarding off a box that *we* control (accessible via public key
and/or OTP), however I also have a functional IPsec+LT2P server setup
that seems to work nicely too for those 'unprepared' to learn the magic
of SSH :) If you go for IPsec+L2TP, look into using DHCP static
classless routes so you do not have to set your organisations network as
a default route for your roaming userbase.
The *last* thing you want to do is poke holes in firewalls for each
workstation, with IPsec you get host based firewalls for free and it's
reasonably straight forward for them to do.
One thing worth doing, block the IP ranges used by those "Log Me
In"-esque services so users do not provision such services themselves.
.sigmonster says: Another megabytes the dust.
unisog mailing list
unisog at lists.dshield.org
More information about the unisog