Remote Desktop thru VPN and Network Security

TJM

Distinguished
Dec 2, 2003
85
0
18,630
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

I want my users to have access to there desktop computers from home. For
security reasons we currently allow our notebook users access through VPN.
The current policy is you have to use company equipment that is part of our
domain. Management now wants everyone to have access to there computer from
home. The issue with this is that it allows users the ability to access
corparate data from out of the office. What I want to do is limit what they
are allowed to do on the network after connecting with VPN. I want them to
only be able to use Remote Desktop to access the network. We don't want them
coping files to there local systems.

Is there a way of doing this in the Windows VPN client? What happens if the
employees home computer has a virus of is not using a firewall? What other
security issues should I consider doing this.

Tim M
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

If you are using IPSec VPN, virtually all resources will be available unless
additional security measures are put in place e.g. perimeter firewall
filtering other ports except RDP 3389, using RAS Access Policy to control
access, IPSec filtering, etc.

Hope this helps. Thanks!


"TJM" wrote:

> I want my users to have access to there desktop computers from home. For
> security reasons we currently allow our notebook users access through VPN.
> The current policy is you have to use company equipment that is part of our
> domain. Management now wants everyone to have access to there computer from
> home. The issue with this is that it allows users the ability to access
> corparate data from out of the office. What I want to do is limit what they
> are allowed to do on the network after connecting with VPN. I want them to
> only be able to use Remote Desktop to access the network. We don't want them
> coping files to there local systems.
>
> Is there a way of doing this in the Windows VPN client? What happens if the
> employees home computer has a virus of is not using a firewall? What other
> security issues should I consider doing this.
>
> Tim M
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

You would have to make the VPN Client that are incomming be part of a
separate subnet. Then you setup ACLs on the LAN Router between them and the
rest of the network to limit what they can do. The LAN router in this
situation may also be the VPN Router, which may also be the NAT Device.

However you will never make this truely secure. They will always be able to
do anything using the "work" machine that they could always do when sitting
at there desk, like email anything (including file attachments) anywhere
they want. The fact that they may be physically sitting at home is
irrelevant.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com



"TJM" <tjmurad@hotmail.com> wrote in message
news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
> I want my users to have access to there desktop computers from home. For
> security reasons we currently allow our notebook users access through VPN.
> The current policy is you have to use company equipment that is part of
our
> domain. Management now wants everyone to have access to there computer
from
> home. The issue with this is that it allows users the ability to access
> corparate data from out of the office. What I want to do is limit what
they
> are allowed to do on the network after connecting with VPN. I want them to
> only be able to use Remote Desktop to access the network. We don't want
them
> coping files to there local systems.
>
> Is there a way of doing this in the Windows VPN client? What happens if
the
> employees home computer has a virus of is not using a firewall? What other
> security issues should I consider doing this.
>
> Tim M
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

And yes you do have to worry about worms, virus, and hackers. I will not
allow users to connect with our vpn unless it is a corporate computer that i
have personally configured. I know of no way of preventing them from copying
files to the local computer, unless you can do some creative port blocking
like maybe 137,138 udp 139 tcp, and 445 tcp.
"TJM" <tjmurad@hotmail.com> wrote in message
news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
> I want my users to have access to there desktop computers from home. For
> security reasons we currently allow our notebook users access through VPN.
> The current policy is you have to use company equipment that is part of
our
> domain. Management now wants everyone to have access to there computer
from
> home. The issue with this is that it allows users the ability to access
> corparate data from out of the office. What I want to do is limit what
they
> are allowed to do on the network after connecting with VPN. I want them to
> only be able to use Remote Desktop to access the network. We don't want
them
> coping files to there local systems.
>
> Is there a way of doing this in the Windows VPN client? What happens if
the
> employees home computer has a virus of is not using a firewall? What other
> security issues should I consider doing this.
>
> Tim M
>
>
 

GadgetGuy

Distinguished
Mar 26, 2003
3
0
18,510
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

We are using an SSL VPN solution to enable users to connect from home. We do
not allow drive mappings of the users home machine. This works great and
sofar the users like the ability of being able to connect from anywhere! No
worries about ports not being available, port 443 is accessible from anywhere.



"TJM" wrote:

> I want my users to have access to there desktop computers from home. For
> security reasons we currently allow our notebook users access through VPN.
> The current policy is you have to use company equipment that is part of our
> domain. Management now wants everyone to have access to there computer from
> home. The issue with this is that it allows users the ability to access
> corparate data from out of the office. What I want to do is limit what they
> are allowed to do on the network after connecting with VPN. I want them to
> only be able to use Remote Desktop to access the network. We don't want them
> coping files to there local systems.
>
> Is there a way of doing this in the Windows VPN client? What happens if the
> employees home computer has a virus of is not using a firewall? What other
> security issues should I consider doing this.
>
> Tim M
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

On Mon, 17 Jan 2005 14:29:07 -0500, "TJM" <tjmurad@hotmail.com> wrote:

>I want my users to have access to there desktop computers from home. For
>security reasons we currently allow our notebook users access through VPN.
>The current policy is you have to use company equipment that is part of our
>domain. Management now wants everyone to have access to there computer from
>home. The issue with this is that it allows users the ability to access
>corparate data from out of the office. What I want to do is limit what they
>are allowed to do on the network after connecting with VPN.

For me it seems easier to restrict what they can do by giving only
access over a RDP-connection to their desktop computers in the office
instead of a full VPN-access. At least the simple terminal server I`m
using in my small LAN
(http://www.thinsoftinc.com/products_winconserver_info.html) allows
restricting of mounting of harddisks at the terminal client. So direct
copying of files between the home computer and office computer becomes
impossible.
Have a look at https://www.gotomypc.com/. It`s a web based service by
Citrix for personal use, small enterprises and corporations. I like
their restrictive passwords which are possible (one time passwords
list). Perhaps it`s a way letting your users use their PCs in the
office only as a terminal client before switching office
infrastructure to a terminal server.

Regards

Michael (not a computer professional)
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

On Mon, 17 Jan 2005 22:38:23 -0000, "Robert Moir"
<robspamtrap+msnews@gmail.com> wrote:

>But
>not impossible - if you told me that I couldn't copy documents direct from
>your server to my home machine, yet allowed me VPN/Terminal Services access
>via my desktop machine I could steal data from those documents just by
>opening them and copying and pasting, and you'd never know.

It is possible to block the clipboard for this use (on a terminal
server).
Of course one still could fotograph the monitor at the client, then
some OCR...

Best Regards

Michael
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

"GadgetGuy" <GadgetGuy@discussions.microsoft.com> wrote in message
news:94DF4630-BE45-44B6-B24A-8A5E4C1B6ED8@microsoft.com...
> We are using an SSL VPN solution to enable users to connect from home. We
do
> not allow drive mappings of the users home machine. This works great and
> sofar the users like the ability of being able to connect from anywhere!
No
> worries about ports not being available, port 443 is accessible from
anywhere.

Just how do you prevent them from mapping a drive? What difference does it
make anyway? Mapping Drives are a thing from the ancient past and there is
not any kind of access that requires a drive letter be mapped.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
 

GadgetGuy

Distinguished
Mar 26, 2003
3
0
18,510
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

We prevent the mapping of a drive by configuring the SSL VPN box to not allow
this, also we do not permit this from the server.




"Phillip Windell" wrote:

> "GadgetGuy" <GadgetGuy@discussions.microsoft.com> wrote in message
> news:94DF4630-BE45-44B6-B24A-8A5E4C1B6ED8@microsoft.com...
> > We are using an SSL VPN solution to enable users to connect from home. We
> do
> > not allow drive mappings of the users home machine. This works great and
> > sofar the users like the ability of being able to connect from anywhere!
> No
> > worries about ports not being available, port 443 is accessible from
> anywhere.
>
> Just how do you prevent them from mapping a drive? What difference does it
> make anyway? Mapping Drives are a thing from the ancient past and there is
> not any kind of access that requires a drive letter be mapped.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windowsxp.security_admin,microsoft.public.windows.terminal_services (More info?)

"GadgetGuy" <GadgetGuy@discussions.microsoft.com> wrote in message
news:FB8EA793-9BCA-44ED-B06E-49CBFD592C3F@microsoft.com...
> We prevent the mapping of a drive by configuring the SSL VPN box to not
allow
But how? What exactly do you block that is going to stop drive mappings
without stopping a whole bunch of other stuff?

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
 
G

Guest

Guest
Archived from groups: microsoft.public.security,microsoft.public.win2000.security,microsoft.public.windows.terminal_services,microsoft.public.windowsxp.security_admin (More info?)

You can use Remote Access Policies to configure exactly what users can
access via their VPN connection. If you create a policy you can then edit
the profile and it the IP section configure the input and output filters to
allow traffic only from and to port 3389 [ RDP] for the VPN client you want
to
restrict. You can have multiple policies and configure them with groups as a
condition if you want to give different groups different access. When you
use multiple policies always list specific policies first and then the
general ones as the first policy that a VPN client matches will apply to
that user.

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_rap_elements.htm
-- info on Remote Access Policies

Keep in mind that Remote Desktop Users can by default use drive redirection
to manipulate files during their RD session. That could be a risk for virus
infection if users are copying files back and forth between computers. I
believe you can disable that at the computer level with Group Policy. There
is no RDP Group Policy per se but I think that the pertinent Group Policy
settings for Terminal Services also apply to an XP Pro computer for RDP
where you can disable drive redirection and such. You would have to test
that out to be sure. Those settings are under computer
configuration/administrative templates/Windows components/Terminal Services
and you would want to apply them to the lan computers that the users will be
accessing via RDP. The first link below refers to using Group Policy to
manage RDP access as an example.

http://support.microsoft.com/?kbid=306300

Users using a VPN that may have compromised computers is a real concern.
Keeping your network computers patched with current critical updates, using
an AV that also monitors for malicious activity in the background and keeps
itself current with virus signatures, general hardening of the operating
system such as disabling uneeded services, and enforcing complex passwords
for domain and local accounts, will go a long way to mitigating that risk.
Beyond that you would have to look into using network access quarantine
which is a fairly complex topic that also may require extra expense in
hardware. The link below explains that in more detail if interested. ---
Steve

http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

"TJM" <tjmurad@hotmail.com> wrote in message
news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
>I want my users to have access to there desktop computers from home. For
>security reasons we currently allow our notebook users access through VPN.
>The current policy is you have to use company equipment that is part of our
>domain. Management now wants everyone to have access to there computer from
>home. The issue with this is that it allows users the ability to access
>corparate data from out of the office. What I want to do is limit what they
>are allowed to do on the network after connecting with VPN. I want them to
>only be able to use Remote Desktop to access the network. We don't want
>them coping files to there local systems.
>
> Is there a way of doing this in the Windows VPN client? What happens if
> the employees home computer has a virus of is not using a firewall? What
> other security issues should I consider doing this.
>
> Tim M
>
>
 

pgrec

Distinguished
Mar 19, 2009
1
0
18,510
There are some appliances out there that can do much more such has F5 and Cisco VPN systems. These allow detection of antivirus system that is up to date. So basically if there is a user with a antivirus software older then 30days they will not be allowed to connect. This also comes with a firewall which is installed ont he client. If the user does not have this firewall it will not be able to connect. So in a short plot, users connecting through vpn need
1. Antivirus with an updated diffinition not older then 30days
2. Need to have the firewall active
3. We use RSA to get authentification
4. need network authentification

P