Re: Remote Access to Staff Desktops

["Bristol, Gary L." <gbristol () OU EDU>]

Actually what we do here at the University of Oklahoma is provide a SSH bastion Host that they connect too.
The Bastion hosts use Kerberos authentication to the domain, so there are no local user accounts on the bastion hosts, 
plus all logging from the host is sent to a remote syslog server.
Then we use SSH tunneling to have the users connect to their workstations via Remote Desktop Protocol.
There are several ssh clients that allow this type of tunneling.
We run a Local HIDS system on the Bastion hosts so that multiple log on failures causes the source ip to be entered in 
the local iptables with a drop action.

The normal RDP connections are not allowed from the internet and the users workstations are located in isolated subnets.
Remotely accessing their workstations have several benefits, they don't have to have a desktop at home or mobile that 
has all their tools loaded.
Any access to sensitive information is kept within the confines of the protected networks.


Gary L. Bristol
CISSP, RHCE
University of Oklahoma
200 Felgar St., Suite 226
Norman, OK 73019

405-325-2236
********************************************
----------------------------------------------------------------------------
+ Ranked 10th in PC Magazine's 2007 Top 20 Wired Campuses
+ Computerworld 2006 100 Best Places to Work in IT
----------------------------------------------------------------------------
**********************************************************************

This transmission may contain information that is privileged, confidential
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format. Thank you

**********************************************************************




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Lane
Sent: Tuesday, February 17, 2009 10:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Remote Access to Staff Desktops

Hi All,

We are receiving an increasing number of requests from staff to remotely access their desktops, for a variety of 
reasons.

I would be interested in hearing if any other Universities allow this, and if so how you are providing secure access, 
or if you have any thoughts/comments on the matter.

Thanks,

Tim

Tim Lane
Information Security Program Manager
IT&TS
Southern Cross University
Ph (02) 6620 3290
Mobile 0418 248 571