Remote Acceses Policies - VPN vs Desktop Access

["Flynn, Gary" <flynngn () JMU EDU>]

Our remote access policy encourages people to use our VPN rather than requesting 
direct exposure of a desktop to the Internet and includes some recommendations 
about configuration such as providing separate accounts for each user, 
strong passwords, and use of encryption. But not much more. In any case, it 
needs to be updated.

Most people that connect to our VPN, regardless of role, cannot access certain
resources. To access those resources remotely through the VPN, an individual
has to go through a fairly restrictive approval process. The desire is to
keep the off-campus attack surface low and make sure the approved person is
using a university owned and maintained computer at home to perform the work.

But many people are able to access the restricted resources from their campus 
desktop. This means they can access the resources from off-campus if they 
remote into their desktop bypassing the intent of the VPN policy.

There is a desire to make the remote access environment enforce access policies 
that match the VPN access policies.

I suppose one way to do that would be to identify the computers of everyone
with an account on the restricted resources and deny remote access to their
computers. But we're talking about a lot of people. And this discussion has
widened into accessing other sensitive systems through the same mechanism.

Do you place any restrictions on remote access to desktops if they're coming
through your VPN? For example, Windows Remote Desktop, VNC, PC Anywhere, SSH, 
X Windows, etc.? Or perhaps not through your VPN (GoToMyPC.com, LogMeIn.com, etc.)? 
(Am I missing any major ones?) 

By role, identity, access rights, or computer?

Thoughts?



Gary Flynn
Security Engineer
James Madison University