Educause Security Discussion mailing list archives
Re: RDP and Campus Computers
From: Greg Vickers <g.vickers () QUT EDU AU>
Date: Thu, 8 Nov 2007 09:48:13 +1000
Hi all, Jeni Li wrote:
Hi John, You can disable clipboard mapping in TS settings on the office computers, and you can make that a group policy setting. http://technet2.microsoft.com/windowsserver/en/library/17d44d9a-cf4b-4a6a-94ec-093cb5f8b2b71033.mspx?mfr=true As to preventing them from getting data from a work PC to a home PC, there will be workarounds if an employee is really determined to do it. They could email a file to themselves, store it on an Internet service like Google Docs or iDisk, or transfer it using a thumb drive or iPod while at work. So I'm not sure how much you will gain by disabling clipboard mapping, relative to the annoyance you may cause as a result. But yes, it certainly can be done.
I agree wholeheartedly with Jeni here, it is just far too easy for an insider to remove data from inside the network and take it outside, inadvertently or maliciously. To fully mitigate this risk, you would have to have terminals that have no IO ports that can have storage media attached to them, physically secured network ports, a process to check each email that is sent outside the network for attachments or inline data, strict policies and procedures and management backing for those policies, high levels of user education, metal scanners at all building entrances/exits etc etc etc. In other words, totally unworkable for a typical University environment. Maybe you should revisit the risk that you are trying to mitigate here - that of sensitive data moving outside the network via staff members. IMHO (and feel free to ridicule or ignore me) there should be a document drawn up that details the risk and the strategy for that risk (e.g. avoid, accept, mitigate) and have it acknowledged by your supervisor AND departmental head, and have them sign it, or ensure that it is otherwise recognized at an appropriate level. Good luck, Greg
-----Original Message----- From: Carroll, John [mailto:carrolljw () LONGWOOD EDU] Sent: Wed 11/7/2007 9:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] RDP and Campus Computers We at Longwood have been trying to find a solution that would allow our faculty and staff to work from home while preventing them from downloading or storing potentially sensitive data on their personal computers. One solution that we are favoring is leveraging our SSL VPN Cisco client with the Remote Desktop to the users office computer. The issue with that appears to be the clipboard "cut and paste", which allows you to essentially copy data from work to your personal computer. To further aggravate, the option to enable and disable this feature appears to be with the client side (home user). I have not had much luck finding a solution on the web to disable the "cut and paste" (rdpclip.exe) permanently. It is a Windows protected file. Has anyone attempted to do this and found the same issue or perhaps a solution or, do we need to find an alternative method and give-up on RDP? Any suggestions or advice would be most welcome. John Carroll Information Security Office Longwood University
-- Greg Vickers IT Security Engineer & Project Manager IT Security, Network Services, Information Technology Services Queensland University of Technology L12, 126 Margaret St, Brisbane Queensland, Australia Phone: +61 7 3138 6902 Mobile: 0410 434 734 Fax: +61 7 3138 2921 Email: g.vickers () qut edu au IT Security web site: http://www.its.qut.edu.au/itsecurity/ CRICOS No. 00213J
Current thread:
- RDP and Campus Computers Carroll, John (Nov 07)
- <Possible follow-ups>
- Re: RDP and Campus Computers Jeni Li (Nov 07)
- Re: RDP and Campus Computers Aaron B. Bewley (Nov 07)
- Re: RDP and Campus Computers Scholz, Greg (Nov 07)
- Re: RDP and Campus Computers Greg Vickers (Nov 07)
- Re: RDP and Campus Computers Ozzie Paez (Nov 07)
- FW: RDP and Campus Computers Charlie Prothero (Nov 07)