Educause Security Discussion mailing list archives
Re: Policy/Practices for Remote Control/Remote Access to Institutionally Owned Computers
From: Dennis Bohn <bohn () ADELPHI EDU>
Date: Wed, 22 Aug 2012 08:01:09 -0400
Hi Jack, Not certain if it were here or another list, but this topic has come up now and again. Here at AU, we block access to those sites from the Administrative networks. Our reasoning is that we do not want people to have access to the ERP system functions that are not web-based from off-campus, unless it is specifically authorized. For very special users we allow VPN with two-factor authentication to access the ERP system directly. What with one thing and another (byod, so-called borderless networks), not certain how much longer this will make sense. best, Dennis Bohn Manager of Network and Systems Adelphi University bohn () adelphi edu 5168773327 On Tue, Aug 21, 2012 at 12:39 PM, Jack Rutt <ruttj () emu edu> wrote:
For years we have prohibited the use/installation of remote access/remote control programs on our institutionally owned computers. GoToMyPC was one of the first services that prompted us to declare a policy about this kind of service but with the onslaught of BYOD the number of these services and the interest that employees have in remote access has increased significantly. Specifically, the convenience of being able to get the near-equivalent of your desktop on an iPad is very compelling for these kinds of users.**** ** ** Originally, our concern was with third-party access potential (i.e. was the company behind GoToMyPC really ensuring that security best practices were being applied to the connections established through their infrastructure). This concern has been addressed over the years by the service providers but we are still very skeptical about the practice of needing to have a computer “listening” for a connection to be established from a remote device over which we have no control from an end-point security perspective.**** ** ** The services we have found some users installing include PocketCloud, GoToMyPC, LogMeIn, VNC etc. Our institutionally owned desktop computer users do not have administrative privileges, so they typically do not install the server components for these services. However, laptop users are administrative users because they are often the users who have legitimate reasons for administrative privileges – so it is with this group of users where we find the prohibited programs. When we find these programs installed we require that they be uninstalled and remind the user that we do provide VPN connectivity and RDP access to a terminal server. But that does not truly give the user access to the computer resources they have on the computer (in most cases a laptop) that they have while working from their desk.**** ** ** My questions:**** ** ** **1. **Are we being overly restrictive to prohibit external connections to institutionally owned computers? **** **2. **Do other institutions typically prohibit the user of remote access programs like GoToMyPC, LogMeIn, PocketCloud or others that are essentially VNC products? **** **3. **Do any institutions permit (condone?) the use of any specific remote access programs and, if so, what policies or best practice statements are enforced to accompany these activities?**** ** ** Thanks for any perspectives you can provide.**** ** ** Jack**** ** ** Jack Rutt Director Information Systems Eastern Mennonite University, 1200 Park Road, Harrisonburg, VA 22802 540-432-4478 (desk), 540-432-4444 (fax), 540-578-1782 (mobile)****
Current thread:
- Policy/Practices for Remote Control/Remote Access to Institutionally Owned Computers Jack Rutt (Aug 21)
- Re: Policy/Practices for Remote Control/Remote Access to Institutionally Owned Computers Dennis Bohn (Aug 22)