Re: Policy/Practices for Remote Control/Remote Access to Institutionally Owned Computers

[Dennis Bohn <bohn () ADELPHI EDU>]

Hi Jack,
Not certain if it were here or another list, but this topic has come up now
and again.  Here at AU, we block access to those sites from the
Administrative networks.   Our reasoning is that we do not want people to
have access to the ERP system functions that are not web-based from
off-campus, unless it is specifically authorized.  For very special users
we allow VPN with two-factor authentication to access the ERP system
directly.

What with one thing and another (byod, so-called borderless networks), not
certain how much longer this will make sense.
best,
Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu
5168773327


On Tue, Aug 21, 2012 at 12:39 PM, Jack Rutt <ruttj () emu edu> wrote:

> For years we have prohibited the use/installation of remote access/remote
> control programs on our institutionally owned computers.  GoToMyPC was one
> of the first services that prompted us to declare a policy about this kind
> of service but with the onslaught of BYOD the number of these services and
> the interest that employees have in remote access has increased
> significantly.  Specifically, the convenience of being able to get the
> near-equivalent of your desktop on an iPad is very compelling for these
> kinds of users.****
>
> ** **
>
> Originally, our concern was with third-party access potential (i.e. was
> the company behind GoToMyPC really ensuring that security best practices
> were being applied to the connections established through their
> infrastructure).  This concern has been addressed over the years by the
> service providers but we are still very skeptical about the practice of
> needing to have a computer “listening” for a connection to be established
> from a remote device over which we have no control from an end-point
> security perspective.****
>
> ** **
>
> The services we have found some users installing include PocketCloud,
> GoToMyPC, LogMeIn, VNC etc.  Our institutionally owned desktop computer
> users do not have administrative privileges, so they typically do not
> install the server components for these services.  However, laptop users
> are administrative users because they are often the users who have
> legitimate reasons for administrative privileges – so it is with this group
> of users where we find the prohibited programs.  When we find these
> programs installed we require that they be uninstalled and remind the user
> that we do provide VPN connectivity and RDP access to a terminal server.
> But that does not truly give the user access to the computer resources they
> have on the computer (in most cases a laptop) that they have while working
> from their desk.****
>
> ** **
>
> My questions:****
>
> ** **
>
> **1.       **Are we being overly restrictive to prohibit external
> connections to institutionally owned computers?
>
> ****
>
> **2.       **Do other institutions typically prohibit the user of remote
> access programs like GoToMyPC, LogMeIn, PocketCloud or others that are
> essentially VNC products?
>
> ****
>
> **3.       **Do any institutions permit (condone?) the use of any
> specific remote access programs and, if so, what policies or best practice
> statements are enforced to accompany these activities?****
>
> ** **
>
> Thanks for any perspectives you can provide.****
>
> ** **
>
> Jack****
>
> ** **
>
> Jack Rutt
> Director Information Systems
> Eastern Mennonite University, 1200 Park Road, Harrisonburg, VA 22802
> 540-432-4478 (desk), 540-432-4444 (fax), 540-578-1782 (mobile)****