Educause Security Discussion mailing list archives
Re: RDP and Campus Computers
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Wed, 7 Nov 2007 19:01:50 -0700
Hello Everyone, This is my first opportunity to provide some feedback and I hope that it will help. As background, I have worked in many environments doing Security and other assessments in both the private and public sectors and regularly get briefings from agencies relating to security issues band breaches. With that in mind: There are three general categories of issues being raised by Jeni Li: Technical (what we do with the tech stuff to secure information), policy/management and people. Any solution would have to address all three and the technical side, including computer/network policies, procedures, systems, etc., will only go so far in ensuring that policies are complied with. So, much of it will have to the dealt with through personnel awareness and training and I don't mean some Computer Based Training module that most trainees take just to get it over with. We are dealing with how people with different backgrounds see security and the need to comply (unfortunately academia is one of the places where compliance with strict security policies has had a problematic history). There are steps that can be taken to address the people solutions and ensure their efficacy, but that goes well beyond e-mail. On the technical side, once the policies and training are done, I recommend that you consider working from home over a VPN as the equivalent of working from the office. The computer configuration, link, gateway, firewalls, etc. should be considered nothing else but a long cable from campus to the person's home. So, if you trust them to access and look at sensitive material in the office, then you can focus on the integrity of the computer system and VPN link as the technical security solution. In practice, if someone really wants to get information from a computer screen, they will be able to using everything from cut and paste to screen captures and digital images. Now, there are a few things that you could do to mitigate security risks while users work over a VPN link from home, specifically: 1. Limit them to using computers provided by the institution over which you have administrative controls, 2. Assuming 1, encrypt the hard drive and enforce password policies in case of theft, 3. Install and configure virus protection, personal firewall and intrusion detection software on the system in a manner that complies with established policies. Do not let home users change the settings, 4. Enforce updates so that, if the computer user fails to keep the anti-virus and other protection up to date, the system will not be allowed onto the network, 5. Enforce digital fingerprinting on all sensitive documents and let them know that, if the documents get out, they could be traced to the culprit, 6. Monitor all external users in accordance with their profile, flagging such things as activities during off hours, i.e. working at 3:30AM, working while on vacation, multiple sign-ons with the same account, etc. Check with them on specific anomalies. This will do two things: Help you detect unauthorized activities and remind the users that monitoring is being done, 7. Log activities over the VPN links and regularly evaluate them - you may be able to use an intrusion detection in this area to facilitate automated monitoring and alerting. Finally, all of the above assumes that documents and sensitive data are properly classified/categorized and secured accordingly. Remember that the try and secure everything in the same way is the same as securing nothing. There is much more - but at least these are some ideas that are not always considered, Best of luck! Ozzie Paez SSE/CISSP SAIC 303-332-5363 -----Original Message----- From: Greg Vickers [mailto:g.vickers () QUT EDU AU] Sent: Wednesday, November 07, 2007 4:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] RDP and Campus Computers Hi all, Jeni Li wrote:
Hi John, You can disable clipboard mapping in TS settings on the office computers,
and you can make that a group policy setting.
http://technet2.microsoft.com/windowsserver/en/library/17d44d9a-cf4b-4a6a-94 ec-093cb5f8b2b71033.mspx?mfr=true
As to preventing them from getting data from a work PC to a home PC, there
will be workarounds if an employee is really determined to do it. They could email a file to themselves, store it on an Internet service like Google Docs or iDisk, or transfer it using a thumb drive or iPod while at work. So I'm not sure how much you will gain by disabling clipboard mapping, relative to the annoyance you may cause as a result. But yes, it certainly can be done. I agree wholeheartedly with Jeni here, it is just far too easy for an insider to remove data from inside the network and take it outside, inadvertently or maliciously. To fully mitigate this risk, you would have to have terminals that have no IO ports that can have storage media attached to them, physically secured network ports, a process to check each email that is sent outside the network for attachments or inline data, strict policies and procedures and management backing for those policies, high levels of user education, metal scanners at all building entrances/exits etc etc etc. In other words, totally unworkable for a typical University environment. Maybe you should revisit the risk that you are trying to mitigate here - that of sensitive data moving outside the network via staff members. IMHO (and feel free to ridicule or ignore me) there should be a document drawn up that details the risk and the strategy for that risk (e.g. avoid, accept, mitigate) and have it acknowledged by your supervisor AND departmental head, and have them sign it, or ensure that it is otherwise recognized at an appropriate level. Good luck, Greg
-----Original Message----- From: Carroll, John [mailto:carrolljw () LONGWOOD EDU] Sent: Wed 11/7/2007 9:10 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] RDP and Campus Computers We at Longwood have been trying to find a solution that would allow our
faculty and staff to work from home while preventing them from downloading or storing potentially sensitive data on their personal computers. One solution that we are favoring is leveraging our SSL VPN Cisco client with the Remote Desktop to the users office computer. The issue with that appears to be the clipboard "cut and paste", which allows you to essentially copy data from work to your personal computer. To further aggravate, the option to enable and disable this feature appears to be with the client side (home user). I have not had much luck finding a solution on the web to disable the "cut and paste" (rdpclip.exe) permanently. It is a Windows protected file.
Has anyone attempted to do this and found the same issue or perhaps a
solution or, do we need to find an alternative method and give-up on RDP?
Any suggestions or advice would be most welcome. John Carroll Information Security Office Longwood University
-- Greg Vickers IT Security Engineer & Project Manager IT Security, Network Services, Information Technology Services Queensland University of Technology L12, 126 Margaret St, Brisbane Queensland, Australia Phone: +61 7 3138 6902 Mobile: 0410 434 734 Fax: +61 7 3138 2921 Email: g.vickers () qut edu au IT Security web site: http://www.its.qut.edu.au/itsecurity/ CRICOS No. 00213J
Current thread:
- RDP and Campus Computers Carroll, John (Nov 07)
- <Possible follow-ups>
- Re: RDP and Campus Computers Jeni Li (Nov 07)
- Re: RDP and Campus Computers Aaron B. Bewley (Nov 07)
- Re: RDP and Campus Computers Scholz, Greg (Nov 07)
- Re: RDP and Campus Computers Greg Vickers (Nov 07)
- Re: RDP and Campus Computers Ozzie Paez (Nov 07)
- FW: RDP and Campus Computers Charlie Prothero (Nov 07)