Educause Security Discussion mailing list archives
Re: Long term telework - how to handle computers off active directory for +30 days with no VPN
From: Francisco Chavez <fac3 () STMARYS-CA EDU>
Date: Fri, 20 Mar 2020 12:46:48 -0700
Jim, What you could do is setup an RDP remote access gateway. You can use GPO to allow your users RDP access to their workstation. Then create a firewall rule and corresponding DNS record for your new gateway. With manage engine you can get the computer DNS names and send those to the users. Or you can write a powershell script to do a WMI query for username and find out that way. This is essentially the strategy we took to provide remote workstation access for about 300 workstations. Hope this helps. Regards, Francisco Chavez Sent from my iPhone
On Mar 20, 2020, at 12:10 PM, Jim A. Bole <jbole () stevenson edu> wrote: In addition to machine account, we also need to sync domain user account. Otherwise it would create difficulties when they change their password online (via Managengine). They'd have to continue using their old password to login to their computer and their new password everywhere else. Ugh. -----Original Message----- From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole Sent: Friday, March 20, 2020 3:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Long term telework - how to handle computers off active directory for +30 days with no VPN This email originated from outside of Stevenson University. Use caution with links or attachments unless you know the content is safe. Today we officially went to full virtual/online for the rest of the semester. So we are working on longer term issues around telework. We currently aren't using any VPN. Most folks are using cloud services (O365, Blackboard, etc.) For selected staff who need access to onprem resources, we've used an RDP gateway for many years with a good security setup. A number of faculty/staff have taken their Win10 domain PCs home. We have the default 30-day policy for machine account passwords, so we have a bit of a clock ticking. We're testing/piloting a VPN solution. And earlier we started testing/piloting InTune. Can InTune update the domain policies/creds on a Win10 client? We are ADFS to Azure, not Azure AD, so I'm not sure if that would be a show stopper or make it complicated. Any other issues to think about when you have people and computers off your network for a long time? I hope everyone gets some respite over the weekend. Jim Bole Director of Information Security Stevenson University 1525 Greenspring Valley Road Stevenson, MD, 21153-0641 jbole () stevenson edu | O: 443-334-2696 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjbole%40STEVENSON.EDU%7Cb95c21887da84b2aeb4008d7cd01381d%7C93599c7168554022bac5141d808346d1%7C0%7C0%7C637203277438089445&sdata=A6b6An%2BSZp%2FqB7ltngIH84yDXnEEJw%2FDXPSHd%2FKmjkU%3D&reserved=0 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Long term telework - how to handle computers off active directory for +30 days with no VPN Jim A. Bole (Mar 20)
- Re: Long term telework - how to handle computers off active directory for +30 days with no VPN Jim A. Bole (Mar 20)
- Re: Long term telework - how to handle computers off active directory for +30 days with no VPN Francisco Chavez (Mar 20)
- Re: Long term telework - how to handle computers off active directory for +30 days with no VPN Jim A. Bole (Mar 20)