Re: Remote Acceses Policies - VPN vs Desktop Access

["Flynn, Gary" <flynngn () JMU EDU>]

> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Vik Solem
> Sent: Thursday, March 25, 2010 2:45 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Remote Acceses Policies - VPN vs Desktop Access
>
> On Mar 25, 2010, at 13:39 , Flynn, Gary wrote:
> > Do you place any restrictions on remote access to desktops if
> > they're coming
> > through your VPN? For example, Windows Remote Desktop, VNC, PC
> > Anywhere, SSH,
> > X Windows, etc.? Or perhaps not through your VPN (GoToMyPC.com,
> > LogMeIn.com, etc.)?
> > (Am I missing any major ones?)
>
> Following a particularly rough attack which used RDP (TCP/3389) at a
> control channel, we put a rule at the border which stops all TCP/3389
> inbound.  (I'm not sure if the dorms are included, but I think they
> might be.)

We don't allow any inbound TCP unless it was specifically requested so
the direct channel is pretty limited. 

> This forces people to use the VPN for access to thing that use RDP on
> port TCP/3389.  This doesn't prevent people from using non-standard
> ports, but it does protect most of the people who use RDP daily.

Once they're on the VPN, do you have any restrictions to their desktop
from that point? That is, can any VPN user connect to their desktop?