Educause Security Discussion mailing list archives
Remote Acceses Policies - VPN vs Desktop Access
From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Thu, 25 Mar 2010 13:39:41 -0400
Our remote access policy encourages people to use our VPN rather than requesting direct exposure of a desktop to the Internet and includes some recommendations about configuration such as providing separate accounts for each user, strong passwords, and use of encryption. But not much more. In any case, it needs to be updated. Most people that connect to our VPN, regardless of role, cannot access certain resources. To access those resources remotely through the VPN, an individual has to go through a fairly restrictive approval process. The desire is to keep the off-campus attack surface low and make sure the approved person is using a university owned and maintained computer at home to perform the work. But many people are able to access the restricted resources from their campus desktop. This means they can access the resources from off-campus if they remote into their desktop bypassing the intent of the VPN policy. There is a desire to make the remote access environment enforce access policies that match the VPN access policies. I suppose one way to do that would be to identify the computers of everyone with an account on the restricted resources and deny remote access to their computers. But we're talking about a lot of people. And this discussion has widened into accessing other sensitive systems through the same mechanism. Do you place any restrictions on remote access to desktops if they're coming through your VPN? For example, Windows Remote Desktop, VNC, PC Anywhere, SSH, X Windows, etc.? Or perhaps not through your VPN (GoToMyPC.com, LogMeIn.com, etc.)? (Am I missing any major ones?) By role, identity, access rights, or computer? Thoughts? Gary Flynn Security Engineer James Madison University
Current thread:
- Remote Acceses Policies - VPN vs Desktop Access Flynn, Gary (Mar 25)
- <Possible follow-ups>
- Re: Remote Acceses Policies - VPN vs Desktop Access Vik Solem (Mar 25)
- Re: Remote Acceses Policies - VPN vs Desktop Access Witmer, Robert (Mar 25)
- Re: Remote Acceses Policies - VPN vs Desktop Access Flynn, Gary (Mar 25)