[unisog] Remote Access to Staff Desktops

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Mon Feb 23 15:03:39 GMT 2009

At Eastern we do a couple of things to support this need.

The first thing is we have a Juniper VPN, which supports Windows RDP.  

The second thing we do is pre-define the necessary desktop firewall
exceptions for the Juniper to get to RDP on the desktop via an Active
Directory Group Policy Object.  This way the user needs only to enable
RDP and defined themselves as having remote access rights.

No other remote access is allowed.

This way we have control and auditing, and the ease of use is pretty

Dave Bachand
Information Technology Services
Director of Technical Services
Eastern Connecticut State University
E-mail bachandd at easternct.edu

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Alexander Clouter
Sent: Thursday, February 19, 2009 9:20 AM
To: unisog at lists.sans.org
Subject: Re: [unisog] Remote Access to Staff Desktops

* Tim Lane <tlane at scu.edu.au> [Wed, 18 Feb 2009 15:29:31 +1100]:
> We are receiving an increasing number of requests from staff to
> access their desktops, for a variety of reasons.
> I would be interested in hearing if any other Universities allow this,
> if so how you are providing secure access, or if you have any
> thoughts/comments on the matter.
We are forcing everyone to go dynamically assigned IP so the first 
hurdle is to give them a DDNS entry that tracks their workstation.  
After that we mention that out network is IPsec 'transparent' so they 
can even use preshared key'd IPsec to get to their workstation however 
they please and from where-ever.

If people are NAT'ed then they need to be able to work out how to do SSH

port forwarding off a box that *we* control (accessible via public key 
and/or OTP), however I also have a functional IPsec+LT2P server setup 
that seems to work nicely too for those 'unprepared' to learn the magic 
of SSH :) If you go for IPsec+L2TP, look into using DHCP static 
classless routes so you do not have to set your organisations network as

a default route for your roaming userbase.

The *last* thing you want to do is poke holes in firewalls for each 
workstation, with IPsec you get host based firewalls for free and it's 
reasonably straight forward for them to do.

One thing worth doing, block the IP ranges used by those "Log Me 
In"-esque services so users do not provision such services themselves.


Alexander Clouter
.sigmonster says: Another megabytes the dust.

unisog mailing list
unisog at lists.dshield.org

More information about the unisog mailing list