Re: Long term telework - how to handle computers off active directory for +30 days with no VPN

[Francisco Chavez <fac3 () STMARYS-CA EDU>]

Jim,

What you could do is setup an RDP remote access gateway. You can use GPO to allow your users RDP access to their 
workstation.  Then create a firewall rule and corresponding DNS record for your new gateway. With manage engine you can 
get the computer DNS names and send those to the users. Or you can write a powershell script to do a WMI query for 
username and find out that way. This is essentially the strategy we took to provide remote workstation access for about 
300 workstations. 

Hope this helps. 

Regards,
Francisco Chavez

Sent from my iPhone

> On Mar 20, 2020, at 12:10 PM, Jim A. Bole <jbole () stevenson edu> wrote:
>
> In addition to machine account, we also need to sync domain user account. Otherwise it would create difficulties 
> when they change their password online (via Managengine). They'd have to continue using their old password to login 
> to their computer and their new password everywhere else. Ugh.
>
> -----Original Message-----
> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
> Sent: Friday, March 20, 2020 3:02 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Long term telework - how to handle computers off active directory for +30 days with no VPN
>
> This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the 
> content is safe.
>
> Today we officially went to full virtual/online for the rest of the semester. So we are working on longer term issues 
> around telework.
>
> We currently aren't using any VPN. Most folks are using cloud services (O365, Blackboard, etc.) For selected staff 
> who need access to onprem resources, we've used an RDP gateway for many years with a good security setup.
>
> A number of faculty/staff have taken their Win10 domain PCs home. We have the default 30-day policy for machine 
> account passwords, so we have a bit of a clock ticking.
>
> We're testing/piloting a VPN solution. And earlier we started testing/piloting InTune.
>
> Can InTune update the domain policies/creds on a Win10 client? We are ADFS to Azure, not Azure AD, so I'm not sure if 
> that would be a show stopper or make it complicated.
>
> Any other issues to think about when you have people and computers off your network for a long time?
>
> I hope everyone gets some respite over the weekend.
>
> Jim Bole
> Director of Information Security
> Stevenson University
> 1525 Greenspring Valley Road
> Stevenson, MD, 21153-0641
> jbole () stevenson edu | O: 443-334-2696
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at 
> https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&amp;data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cb95c21887da84b2aeb4008d7cd01381d%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637203277438089445&amp;sdata=A6b6An%2BSZp%2FqB7ltngIH84yDXnEEJw%2FDXPSHd%2FKmjkU%3D&amp;reserved=0
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
> person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
> and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community