Educause Security Discussion mailing list archives

Re: RDP access to Servers from computing staff workstations.

From: Eme Ejike <eejike () ODU EDU>
Date: Tue, 8 Jun 2010 18:23:06 -0400

Thanks Gary,
I appreciate the insight. As you know system Admins are rarely concerned
with how they get to their servers as long as they get to it. However,
they forget that in general IT folks.... dare i say it....have a
complex. A common everything is got to be on my workstation for me to be
an admin G.O.D scenario easily leads to their workstations being the
least secure. With this in mind an added layer of separation seems to be
something to seriously consider.


Bristol, Gary L. wrote:

Bastion Host setup with SSH allowed then tunnel the RDP through the Bastion Host to the staff's workstations.

Then also for IT Staff MS server access is via a Management OOBM VPN.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell
Sent: Tuesday, June 08, 2010 12:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RDP access to Servers from computing staff workstations.

On 6/8/2010 11:53 AM, Eme Ejike wrote:

On the linux/Unix/solaris  environments, we have a bastion host set up
for management access to  servers from our computing  staff workstations.
However, no infrastructure was defined for access to the windows
servers which i am currently planning to set a structure for.
I would sincerely appreciate some feedback on how management access
has been setup  for access to the server environment from your
computing staff workstations.
What model  do most Security Admins  within our forum gravitate towards.


We have a "standard non-standard" route for this, using SSH, RDP, or VNC (depending on the target platform) on a 
nonstandard port.  Users are encouraged to restrict access to the relocated service port to specific IPs/subnets (we have 
authorized ITD staff and departmental sysadmins in predictable subnets, as well as our VPN pools).

Public-facing SSH/RDP/etc are practically nonexistant except in very special situations.  Changing the ports avoids 
script kiddies but obviously does little against a targeted attack.

This was not done overnight, however :-)  Identify your users and work with them individually to transition them to 
whatever method you choose.

Jeff

Current thread:

RDP access to Servers from computing staff workstations. Eme Ejike (Jun 08)
- <Possible follow-ups>
- Re: RDP access to Servers from computing staff workstations. Stanclift, Michael (Jun 08)
- Re: RDP access to Servers from computing staff workstations. Jeff Kell (Jun 08)
- Re: RDP access to Servers from computing staff workstations. Bristol, Gary L. (Jun 08)
- Re: RDP access to Servers from computing staff workstations. Eme Ejike (Jun 08)