Educause Security Discussion mailing list archives
Re: RDP access to Servers from computing staff workstations.
From: Eme Ejike <eejike () ODU EDU>
Date: Tue, 8 Jun 2010 18:23:06 -0400
Thanks Gary, I appreciate the insight. As you know system Admins are rarely concerned with how they get to their servers as long as they get to it. However, they forget that in general IT folks.... dare i say it....have a complex. A common everything is got to be on my workstation for me to be an admin G.O.D scenario easily leads to their workstations being the least secure. With this in mind an added layer of separation seems to be something to seriously consider. Bristol, Gary L. wrote:
Bastion Host setup with SSH allowed then tunnel the RDP through the Bastion Host to the staff's workstations. Then also for IT Staff MS server access is via a Management OOBM VPN. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jeff Kell Sent: Tuesday, June 08, 2010 12:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] RDP access to Servers from computing staff workstations. On 6/8/2010 11:53 AM, Eme Ejike wrote:On the linux/Unix/solaris environments, we have a bastion host set up for management access to servers from our computing staff workstations. However, no infrastructure was defined for access to the windows servers which i am currently planning to set a structure for. I would sincerely appreciate some feedback on how management access has been setup for access to the server environment from your computing staff workstations. What model do most Security Admins within our forum gravitate towards.We have a "standard non-standard" route for this, using SSH, RDP, or VNC (depending on the target platform) on a nonstandard port. Users are encouraged to restrict access to the relocated service port to specific IPs/subnets (we have authorized ITD staff and departmental sysadmins in predictable subnets, as well as our VPN pools). Public-facing SSH/RDP/etc are practically nonexistant except in very special situations. Changing the ports avoids script kiddies but obviously does little against a targeted attack. This was not done overnight, however :-) Identify your users and work with them individually to transition them to whatever method you choose. Jeff
Current thread:
- RDP access to Servers from computing staff workstations. Eme Ejike (Jun 08)
- <Possible follow-ups>
- Re: RDP access to Servers from computing staff workstations. Stanclift, Michael (Jun 08)
- Re: RDP access to Servers from computing staff workstations. Jeff Kell (Jun 08)
- Re: RDP access to Servers from computing staff workstations. Bristol, Gary L. (Jun 08)
- Re: RDP access to Servers from computing staff workstations. Eme Ejike (Jun 08)