Re: Remote desktop access policy

[David Glosser <david_glosser () yahoo com>]

Also, change the default port for RDP, require encryption (that's also a group policy), use an ssh tunnel if you can. 
Here's a web page I found:

http://www.mobydisk.com/techres/securing_remote_desktop.html


----- Original Message ----
> From: Dave Spillers <DSpillers () centiv com>
> To: Petter Bruland <pbruland () fcglv com>; jenna <jennasec-focus () yahoo co uk>; security-basics () securityfocus 
> com
> Sent: Friday, January 18, 2008 3:12:48 PM
> Subject: RE: Remote desktop access policy
>
> I also have my users connecting and using the RDP, for very similar
> reasons.   I also have users that are remote offices with different
> network/subnets Ie. We may be 192.168.1.X and they are 192.168.2.X and
> they can not RDP to us.  There is a spot to enter the subnets that are
> allowed to RDP to systems on the 1.x but I can't remember where. 
> I
 know
> I changed it at one point to add one of the remote offices but cant
> remember now where.  I thought it was a group policy but cant find that
> any help jogging my memory would be GREAT!
>
> David S
>
>
> -----Original Message-----
> From:
> listbounce () securityfocus com
 [mailto:listbounce () securityfocus com]
> On Behalf Of Petter Bruland
> Sent: Friday, January 18, 2008 12:16 PM
> To: jenna; security-basics () securityfocus com
> Subject: RE: Remote desktop access policy
>
> The issue with that is that "important" people can't wait for a large
> file to transfer to their home PC, in order for them to work on it.
> Working via RDC is a faster and better solution for them.
> And when you do work from home in the evening/morning, you can
> disconnect when you're done, then when you get to the office and log in
> everything is where you left it. Well, except the days when we roll out
> Windows updates.
>
> Plus if a firewall/VPN setup is configured to only allow RDC traffic, I
> would think that's better than allowing full/partial direct
> server.
 Also
> with a semi locked down VPN connection only allowing RDC, I would think
> that the importance of a "clean" end-user machine isn't as important as
> if they had more access.
>
> -Petter 
>
> -----Original Message-----
> From:
> listbounce () securityfocus com
 [mailto:listbounce () securityfocus com]
> On Behalf Of jenna
> Sent: Friday, January 18, 2008 9:10 AM
> To: security-basics () securityfocus com
> Subject: Re: Remote desktop access policy
>
> Hi
> My main concern would be why they requre access to their desktop.
> Anything to do with the business should be on a file server to
> ensure
 it
> gets backed up.  Users would then only need access to the server thus
> negating the need to leave their desktops left on.
>
> If you allow  any access to your network, ensure you have a tool in
> place to check that their home machine has an updated AV as well as MS
> updates.  Users will also be able to copy files to their home
> machine
 so
> ensure this is covered by the policy and ensure everybody is aware
> -
 you
> could ask people to sign a form acknowledging this.
>
> Jenna
>
>
>
> ----- Original Message ----
> From: WALI 
> To: security-basics () securityfocus com
> Sent: Friday, 18 January, 2008 1:33:18 PM
> Subject: Remote desktop access policy
>
> Hi guys...do you have any remote desktop policy clauses that you can
> share?
> I am having difficulties in trying to tell people the hazards of
> haphazardly asking IT guys the perils of asking access to
> their
 desktops
> when the come in via VPN.
>
> Everyone wants to have a VPN client and then to a remote
> desktop
 session
> to their desktop.
>
> How can I tell them the threats of doing so? Are there any threats?
> Should I restrict such usage? For one, it makes a lot of economic sense
> to switch off PC once a user leaves his/her desk for the day.
>
>
>       ___________________________________________________________
> Support the World Aids Awareness campaign this month with Yahoo! For
> Good http://uk.promotions.yahoo.com/forgood/