Remote Desktop thru VPN and Network Security

Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

I want my users to have access to there desktop computers from home. For
security reasons we currently allow our notebook users access through VPN.
The current policy is you have to use company equipment that is part of our
domain. Management now wants everyone to have access to there computer from
home. The issue with this is that it allows users the ability to access
corparate data from out of the office. What I want to do is limit what they
are allowed to do on the network after connecting with VPN. I want them to
only be able to use Remote Desktop to access the network. We don't want them
coping files to there local systems.

Is there a way of doing this in the Windows VPN client? What happens if the
employees home computer has a virus of is not using a firewall? What other
security issues should I consider doing this.

Tim M
12 answers Last reply
More about remote desktop network security
  1. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

    If you are using IPSec VPN, virtually all resources will be available unless
    additional security measures are put in place e.g. perimeter firewall
    filtering other ports except RDP 3389, using RAS Access Policy to control
    access, IPSec filtering, etc.

    Hope this helps. Thanks!


    "TJM" wrote:

    > I want my users to have access to there desktop computers from home. For
    > security reasons we currently allow our notebook users access through VPN.
    > The current policy is you have to use company equipment that is part of our
    > domain. Management now wants everyone to have access to there computer from
    > home. The issue with this is that it allows users the ability to access
    > corparate data from out of the office. What I want to do is limit what they
    > are allowed to do on the network after connecting with VPN. I want them to
    > only be able to use Remote Desktop to access the network. We don't want them
    > coping files to there local systems.
    >
    > Is there a way of doing this in the Windows VPN client? What happens if the
    > employees home computer has a virus of is not using a firewall? What other
    > security issues should I consider doing this.
    >
    > Tim M
    >
    >
    >
  2. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

    You would have to make the VPN Client that are incomming be part of a
    separate subnet. Then you setup ACLs on the LAN Router between them and the
    rest of the network to limit what they can do. The LAN router in this
    situation may also be the VPN Router, which may also be the NAT Device.

    However you will never make this truely secure. They will always be able to
    do anything using the "work" machine that they could always do when sitting
    at there desk, like email anything (including file attachments) anywhere
    they want. The fact that they may be physically sitting at home is
    irrelevant.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


    "TJM" <tjmurad@hotmail.com> wrote in message
    news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
    > I want my users to have access to there desktop computers from home. For
    > security reasons we currently allow our notebook users access through VPN.
    > The current policy is you have to use company equipment that is part of
    our
    > domain. Management now wants everyone to have access to there computer
    from
    > home. The issue with this is that it allows users the ability to access
    > corparate data from out of the office. What I want to do is limit what
    they
    > are allowed to do on the network after connecting with VPN. I want them to
    > only be able to use Remote Desktop to access the network. We don't want
    them
    > coping files to there local systems.
    >
    > Is there a way of doing this in the Windows VPN client? What happens if
    the
    > employees home computer has a virus of is not using a firewall? What other
    > security issues should I consider doing this.
    >
    > Tim M
    >
    >
  3. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

    And yes you do have to worry about worms, virus, and hackers. I will not
    allow users to connect with our vpn unless it is a corporate computer that i
    have personally configured. I know of no way of preventing them from copying
    files to the local computer, unless you can do some creative port blocking
    like maybe 137,138 udp 139 tcp, and 445 tcp.
    "TJM" <tjmurad@hotmail.com> wrote in message
    news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
    > I want my users to have access to there desktop computers from home. For
    > security reasons we currently allow our notebook users access through VPN.
    > The current policy is you have to use company equipment that is part of
    our
    > domain. Management now wants everyone to have access to there computer
    from
    > home. The issue with this is that it allows users the ability to access
    > corparate data from out of the office. What I want to do is limit what
    they
    > are allowed to do on the network after connecting with VPN. I want them to
    > only be able to use Remote Desktop to access the network. We don't want
    them
    > coping files to there local systems.
    >
    > Is there a way of doing this in the Windows VPN client? What happens if
    the
    > employees home computer has a virus of is not using a firewall? What other
    > security issues should I consider doing this.
    >
    > Tim M
    >
    >
  4. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

    We are using an SSL VPN solution to enable users to connect from home. We do
    not allow drive mappings of the users home machine. This works great and
    sofar the users like the ability of being able to connect from anywhere! No
    worries about ports not being available, port 443 is accessible from anywhere.


    "TJM" wrote:

    > I want my users to have access to there desktop computers from home. For
    > security reasons we currently allow our notebook users access through VPN.
    > The current policy is you have to use company equipment that is part of our
    > domain. Management now wants everyone to have access to there computer from
    > home. The issue with this is that it allows users the ability to access
    > corparate data from out of the office. What I want to do is limit what they
    > are allowed to do on the network after connecting with VPN. I want them to
    > only be able to use Remote Desktop to access the network. We don't want them
    > coping files to there local systems.
    >
    > Is there a way of doing this in the Windows VPN client? What happens if the
    > employees home computer has a virus of is not using a firewall? What other
    > security issues should I consider doing this.
    >
    > Tim M
    >
    >
    >
  5. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

    On Mon, 17 Jan 2005 14:29:07 -0500, "TJM" <tjmurad@hotmail.com> wrote:

    >I want my users to have access to there desktop computers from home. For
    >security reasons we currently allow our notebook users access through VPN.
    >The current policy is you have to use company equipment that is part of our
    >domain. Management now wants everyone to have access to there computer from
    >home. The issue with this is that it allows users the ability to access
    >corparate data from out of the office. What I want to do is limit what they
    >are allowed to do on the network after connecting with VPN.

    For me it seems easier to restrict what they can do by giving only
    access over a RDP-connection to their desktop computers in the office
    instead of a full VPN-access. At least the simple terminal server I`m
    using in my small LAN
    (http://www.thinsoftinc.com/products_winconserver_info.html) allows
    restricting of mounting of harddisks at the terminal client. So direct
    copying of files between the home computer and office computer becomes
    impossible.
    Have a look at https://www.gotomypc.com/. It`s a web based service by
    Citrix for personal use, small enterprises and corporations. I like
    their restrictive passwords which are possible (one time passwords
    list). Perhaps it`s a way letting your users use their PCs in the
    office only as a terminal client before switching office
    infrastructure to a terminal server.

    Regards

    Michael (not a computer professional)
  6. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

    On Mon, 17 Jan 2005 22:38:23 -0000, "Robert Moir"
    <robspamtrap+msnews@gmail.com> wrote:

    >But
    >not impossible - if you told me that I couldn't copy documents direct from
    >your server to my home machine, yet allowed me VPN/Terminal Services access
    >via my desktop machine I could steal data from those documents just by
    >opening them and copying and pasting, and you'd never know.

    It is possible to block the clipboard for this use (on a terminal
    server).
    Of course one still could fotograph the monitor at the client, then
    some OCR...

    Best Regards

    Michael
  7. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

    "GadgetGuy" <GadgetGuy@discussions.microsoft.com> wrote in message
    news:94DF4630-BE45-44B6-B24A-8A5E4C1B6ED8@microsoft.com...
    > We are using an SSL VPN solution to enable users to connect from home. We
    do
    > not allow drive mappings of the users home machine. This works great and
    > sofar the users like the ability of being able to connect from anywhere!
    No
    > worries about ports not being available, port 443 is accessible from
    anywhere.

    Just how do you prevent them from mapping a drive? What difference does it
    make anyway? Mapping Drives are a thing from the ancient past and there is
    not any kind of access that requires a drive letter be mapped.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
  8. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

    You might also want to look at the "network access quarantine feature" in
    Windows Server 2003.
    http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
  9. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

    We prevent the mapping of a drive by configuring the SSL VPN box to not allow
    this, also we do not permit this from the server.


    "Phillip Windell" wrote:

    > "GadgetGuy" <GadgetGuy@discussions.microsoft.com> wrote in message
    > news:94DF4630-BE45-44B6-B24A-8A5E4C1B6ED8@microsoft.com...
    > > We are using an SSL VPN solution to enable users to connect from home. We
    > do
    > > not allow drive mappings of the users home machine. This works great and
    > > sofar the users like the ability of being able to connect from anywhere!
    > No
    > > worries about ports not being available, port 443 is accessible from
    > anywhere.
    >
    > Just how do you prevent them from mapping a drive? What difference does it
    > make anyway? Mapping Drives are a thing from the ancient past and there is
    > not any kind of access that requires a drive letter be mapped.
    >
    > --
    >
    > Phillip Windell [MCP, MVP, CCNA]
    > www.wandtv.com
    >
    >
    >
  10. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

    "GadgetGuy" <GadgetGuy@discussions.microsoft.com> wrote in message
    news:FB8EA793-9BCA-44ED-B06E-49CBFD592C3F@microsoft.com...
    > We prevent the mapping of a drive by configuring the SSL VPN box to not
    allow
    But how? What exactly do you block that is going to stop drive mappings
    without stopping a whole bunch of other stuff?

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
  11. Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

    You can use Remote Access Policies to configure exactly what users can
    access via their VPN connection. If you create a policy you can then edit
    the profile and it the IP section configure the input and output filters to
    allow traffic only from and to port 3389 [ RDP] for the VPN client you want
    to
    restrict. You can have multiple policies and configure them with groups as a
    condition if you want to give different groups different access. When you
    use multiple policies always list specific policies first and then the
    general ones as the first policy that a VPN client matches will apply to
    that user.

    http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_rap_elements.htm
    -- info on Remote Access Policies

    Keep in mind that Remote Desktop Users can by default use drive redirection
    to manipulate files during their RD session. That could be a risk for virus
    infection if users are copying files back and forth between computers. I
    believe you can disable that at the computer level with Group Policy. There
    is no RDP Group Policy per se but I think that the pertinent Group Policy
    settings for Terminal Services also apply to an XP Pro computer for RDP
    where you can disable drive redirection and such. You would have to test
    that out to be sure. Those settings are under computer
    configuration/administrative templates/Windows components/Terminal Services
    and you would want to apply them to the lan computers that the users will be
    accessing via RDP. The first link below refers to using Group Policy to
    manage RDP access as an example.

    http://support.microsoft.com/?kbid=306300

    Users using a VPN that may have compromised computers is a real concern.
    Keeping your network computers patched with current critical updates, using
    an AV that also monitors for malicious activity in the background and keeps
    itself current with virus signatures, general hardening of the operating
    system such as disabling uneeded services, and enforcing complex passwords
    for domain and local accounts, will go a long way to mitigating that risk.
    Beyond that you would have to look into using network access quarantine
    which is a fairly complex topic that also may require extra expense in
    hardware. The link below explains that in more detail if interested. ---
    Steve

    http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

    "TJM" <tjmurad@hotmail.com> wrote in message
    news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
    >I want my users to have access to there desktop computers from home. For
    >security reasons we currently allow our notebook users access through VPN.
    >The current policy is you have to use company equipment that is part of our
    >domain. Management now wants everyone to have access to there computer from
    >home. The issue with this is that it allows users the ability to access
    >corparate data from out of the office. What I want to do is limit what they
    >are allowed to do on the network after connecting with VPN. I want them to
    >only be able to use Remote Desktop to access the network. We don't want
    >them coping files to there local systems.
    >
    > Is there a way of doing this in the Windows VPN client? What happens if
    > the employees home computer has a virus of is not using a firewall? What
    > other security issues should I consider doing this.
    >
    > Tim M
    >
    >
  12. There are some appliances out there that can do much more such has F5 and Cisco VPN systems. These allow detection of antivirus system that is up to date. So basically if there is a user with a antivirus software older then 30days they will not be allowed to connect. This also comes with a firewall which is installed ont he client. If the user does not have this firewall it will not be able to connect. So in a short plot, users connecting through vpn need
    1. Antivirus with an updated diffinition not older then 30days
    2. Need to have the firewall active
    3. We use RSA to get authentification
    4. need network authentification

    P
Ask a new question

Read More

Security VPN Microsoft Windows XP