Re: RDP and Campus Computers

[Greg Vickers <g.vickers () QUT EDU AU>]

Hi all,

Jeni Li wrote:
> Hi John,
> You can disable clipboard mapping in TS settings on the office computers, and you can make that a group policy setting.
> http://technet2.microsoft.com/windowsserver/en/library/17d44d9a-cf4b-4a6a-94ec-093cb5f8b2b71033.mspx?mfr=true
>
> As to preventing them from getting data from a work PC to a home PC, there will be workarounds if an employee is really 
> determined to do it. They could email a file to themselves, store it on an Internet service like Google Docs or iDisk, or 
> transfer it using a thumb drive or iPod while at work. So I'm not sure how much you will gain by disabling clipboard 
> mapping, relative to the annoyance you may cause as a result. But yes, it certainly can be done.

I agree wholeheartedly with Jeni here, it is just far too easy for an
insider to remove data from inside the network and take it outside,
inadvertently or maliciously.  To fully mitigate this risk, you would
have to have terminals that have no IO ports that can have storage media
attached to them, physically secured network ports, a process to check
each email that is sent outside the network for attachments or inline
data, strict policies and procedures and management backing for those
policies, high levels of user education, metal scanners at all building
entrances/exits etc etc etc.  In other words, totally unworkable for a
typical University environment.

Maybe you should revisit the risk that you are trying to mitigate here -
that of sensitive data moving outside the network via staff members.
IMHO (and feel free to ridicule or ignore me) there should be a document
drawn up that details the risk and the strategy for that risk (e.g.
avoid, accept, mitigate) and have it acknowledged by your supervisor AND
departmental head, and have them sign it, or ensure that it is otherwise
recognized at an appropriate level.

Good luck,
Greg

> -----Original Message-----
> From: Carroll, John [mailto:carrolljw () LONGWOOD EDU]
> Sent: Wed 11/7/2007 9:10 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] RDP and Campus Computers
>
> We at Longwood have been trying to find a solution that would allow our faculty and staff to work from home while preventing them from 
> downloading or storing potentially sensitive data on their personal computers. One solution that we are favoring is leveraging our SSL VPN 
> Cisco client with the Remote Desktop to the users office computer. The issue with that appears to be the clipboard "cut and 
> paste", which allows you to essentially copy data from work to your personal computer. To further aggravate, the option to enable and 
> disable this feature appears to be with the client side (home user). I have not had much luck finding a solution on the web to disable the 
> "cut and paste" (rdpclip.exe) permanently. It is a Windows protected file.
>
> Has anyone attempted to do this and found the same issue or perhaps a solution or, do we need to find an alternative 
> method and give-up on RDP?
>
>
> Any suggestions or advice would be most welcome.
>
>
> John Carroll
> Information Security Office
> Longwood University

--
Greg Vickers
IT Security Engineer & Project Manager
IT Security, Network Services,
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane
Queensland, Australia

Phone: +61 7 3138 6902
Mobile: 0410 434 734
Fax: +61 7 3138 2921
Email: g.vickers () qut edu au
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J