Re: RDP and Campus Computers

[Ozzie Paez <ozpaez () SPRYNET COM>]

Hello Everyone,
This is my first opportunity to provide some feedback and I hope that it
will help.  As background, I have worked in many environments doing Security
and other assessments in both the private and public sectors and regularly
get briefings from agencies relating to security issues band breaches.  With
that in mind:

There are three general categories of issues being raised by Jeni Li:
Technical (what we do with the tech stuff to secure information),
policy/management and people.  Any solution would have to address all three
and the technical side, including computer/network policies, procedures,
systems, etc., will only go so far in ensuring that policies are complied
with.  So, much of it will have to the dealt with through personnel
awareness and training and I don't mean some Computer Based Training module
that most trainees take just to get it over with.  We are dealing with how
people with different backgrounds see security and the need to comply
(unfortunately academia is one of the places where compliance with strict
security policies has had a problematic history).  There are steps that can
be taken to address the people solutions and ensure their efficacy, but that
goes well beyond e-mail.

On the technical side, once the policies and training are done, I recommend
that you consider working from home over a VPN as the equivalent of working
from the office.  The computer configuration, link, gateway, firewalls, etc.
should be considered nothing else but a long cable from campus to the
person's home.  So, if you trust them to access and look at sensitive
material in the office, then you can focus on the integrity of the computer
system and VPN link as the technical security solution.  In practice, if
someone really wants to get information from a computer screen, they will be
able to using everything from cut and paste to screen captures and digital
images.  Now, there are a few things that you could do to mitigate security
risks while users work over a VPN link from home, specifically:

1.  Limit them to using computers provided by the institution over which you
have administrative controls,
2.  Assuming 1, encrypt the hard drive and enforce password policies in case
of theft,
3.  Install and configure virus protection, personal firewall and intrusion
detection software on the system in a manner that complies with established
policies.  Do not let home users change the settings,
4.  Enforce updates so that, if the computer user fails to keep the
anti-virus and other protection up to date, the system will not be allowed
onto the network,
5.  Enforce digital fingerprinting on all sensitive documents and let them
know that, if the documents get out, they could be traced to the culprit,
6.  Monitor all external users in accordance with their profile, flagging
such things as activities during off hours, i.e. working at 3:30AM, working
while on vacation, multiple sign-ons with the same account, etc.  Check with
them on specific anomalies. This will do two things: Help you detect
unauthorized activities and remind the users that monitoring is being done,
7.  Log activities over the VPN links and regularly evaluate them - you may
be able to use an intrusion detection in this area to facilitate automated
monitoring and alerting.

Finally, all of the above assumes that documents and sensitive data are
properly classified/categorized and secured accordingly.  Remember that the
try and secure everything in the same way is the same as securing nothing.

There is much more - but at least these are some ideas that are not always
considered,

Best of luck!

Ozzie Paez
SSE/CISSP
SAIC
303-332-5363


-----Original Message-----
From: Greg Vickers [mailto:g.vickers () QUT EDU AU]
Sent: Wednesday, November 07, 2007 4:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] RDP and Campus Computers


Hi all,

Jeni Li wrote:
> Hi John,
> You can disable clipboard mapping in TS settings on the office computers,
and you can make that a group policy setting.
>
http://technet2.microsoft.com/windowsserver/en/library/17d44d9a-cf4b-4a6a-94
ec-093cb5f8b2b71033.mspx?mfr=true
> As to preventing them from getting data from a work PC to a home PC, there
will be workarounds if an employee is really determined to do it. They could
email a file to themselves, store it on an Internet service like Google Docs
or iDisk, or transfer it using a thumb drive or iPod while at work. So I'm
not sure how much you will gain by disabling clipboard mapping, relative to
the annoyance you may cause as a result. But yes, it certainly can be done.

I agree wholeheartedly with Jeni here, it is just far too easy for an
insider to remove data from inside the network and take it outside,
inadvertently or maliciously.  To fully mitigate this risk, you would
have to have terminals that have no IO ports that can have storage media
attached to them, physically secured network ports, a process to check
each email that is sent outside the network for attachments or inline
data, strict policies and procedures and management backing for those
policies, high levels of user education, metal scanners at all building
entrances/exits etc etc etc.  In other words, totally unworkable for a
typical University environment.

Maybe you should revisit the risk that you are trying to mitigate here -
that of sensitive data moving outside the network via staff members.
IMHO (and feel free to ridicule or ignore me) there should be a document
drawn up that details the risk and the strategy for that risk (e.g.
avoid, accept, mitigate) and have it acknowledged by your supervisor AND
departmental head, and have them sign it, or ensure that it is otherwise
recognized at an appropriate level.

Good luck,
Greg

> -----Original Message-----
> From: Carroll, John [mailto:carrolljw () LONGWOOD EDU]
> Sent: Wed 11/7/2007 9:10 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] RDP and Campus Computers
>
> We at Longwood have been trying to find a solution that would allow our
faculty and staff to work from home while preventing them from downloading
or storing potentially sensitive data on their personal computers. One
solution that we are favoring is leveraging our SSL VPN Cisco client with
the Remote Desktop to the users office computer. The issue with that appears
to be the clipboard "cut and paste", which allows you to essentially copy
data from work to your personal computer. To further aggravate, the option
to enable and disable this feature appears to be with the client side (home
user). I have not had much luck finding a solution on the web to disable the
"cut and paste" (rdpclip.exe) permanently. It is a Windows protected file.
> Has anyone attempted to do this and found the same issue or perhaps a
solution or, do we need to find an alternative method and give-up on RDP?
> Any suggestions or advice would be most welcome.
>
>
> John Carroll
> Information Security Office
> Longwood University

--
Greg Vickers
IT Security Engineer & Project Manager
IT Security, Network Services,
Information Technology Services
Queensland University of Technology
L12, 126 Margaret St, Brisbane
Queensland, Australia

Phone: +61 7 3138 6902
Mobile: 0410 434 734
Fax: +61 7 3138 2921
Email: g.vickers () qut edu au
IT Security web site: http://www.its.qut.edu.au/itsecurity/

CRICOS No. 00213J