Remote Desktop thru VPN and Network Security

[TJM]

I want my users to have access to there desktop computers from home. For
security reasons we currently allow our notebook users access through VPN.
The current policy is you have to use company equipment that is part of our
domain. Management now wants everyone to have access to there computer from
home. The issue with this is that it allows users the ability to access
corparate data from out of the office. What I want to do is limit what they
are allowed to do on the network after connecting with VPN. I want them to
only be able to use Remote Desktop to access the network. We don't want them
coping files to there local systems.

Is there a way of doing this in the Windows VPN client? What happens if the
employees home computer has a virus of is not using a firewall? What other
security issues should I consider doing this.

Tim M

 

[Guest]

If you are using IPSec VPN, virtually all resources will be available unless
additional security measures are put in place e.g. perimeter firewall
filtering other ports except RDP 3389, using RAS Access Policy to control
access, IPSec filtering, etc.

Hope this helps. Thanks!

 

[Phillip Windell]

You would have to make the VPN Client that are incomming be part of a
separate subnet. Then you setup ACLs on the LAN Router between them and the
rest of the network to limit what they can do. The LAN router in this
situation may also be the VPN Router, which may also be the NAT Device.

However you will never make this truely secure. They will always be able to
do anything using the "work" machine that they could always do when sitting
at there desk, like email anything (including file attachments) anywhere
they want. The fact that they may be physically sitting at home is
irrelevant.

 

[Eugene Taylor]

And yes you do have to worry about worms, virus, and hackers. I will not
allow users to connect with our vpn unless it is a corporate computer that i
have personally configured. I know of no way of preventing them from copying
files to the local computer, unless you can do some creative port blocking
like maybe 137,138 udp 139 tcp, and 445 tcp.

 

[Robert Moir]

I want my users to have access to there desktop computers from home.
For security reasons we currently allow our notebook users access
through VPN. The current policy is you have to use company equipment
that is part of our domain. Management now wants everyone to have
access to there computer from home. The issue with this is that it
allows users the ability to access corparate data from out of the
office. What I want to do is limit what they are allowed to do on the
network after connecting with VPN. I want them to only be able to use
Remote Desktop to access the network. We don't want them coping files
to there local systems.
Is there a way of doing this in the Windows VPN client? What happens
if the employees home computer has a virus of is not using a
firewall? What other security issues should I consider doing this.

You have to understand that by allowing VPN access at all, you are giving up
some measure of "security" in exchange for allowing people to work at home.
Accepting this, we can go on to think about how to deal with the risks that
arise.

I would consider having a separate network for the VPN clients to connect
and authenticate to, separated from your main LAN by some kind of
firewall/filter that will allow you some control over what passes through.
At this choke point you can then restrict the dialled-in VPN users from
passing any traffic to/from the local LAN except for your allowed exceptions
(terminal services in this case).

This should also mitigate against viruses from an infected home machine
attacking your internal corporate LAN, but will do nothing for the fact that
your users might be infected with keylogging & password stealing trojans
that report everything they type back to the person that infected them -
sorry did you say we were dealing with confidential information here? Now
you see what I meant when I said that doing this at all means you accept
certain risks.

Firewalling the VPN connections away from your main LAN also isolates what
the users can do to a degree, and makes it difficult for them or malware on
their machines to do things that you do not like, at least by mistake. But
not impossible - if you told me that I couldn't copy documents direct from
your server to my home machine, yet allowed me VPN/Terminal Services access
via my desktop machine I could steal data from those documents just by
opening them and copying and pasting, and you'd never know.

The question is how real is that demand for restricting data flow outside
the corporation, and how far do you trust your user community? You might,
for example, trust them not to harm your company intentionally, but do you
trust them not to save their VPN password on the machine for convenience,
inadvertently allowing their inquisitive and troublesome 12 year old kid
access to your network (and please lets not pretend the average user's
choice of password is much help here).

--

 

[Michael Logies]

I want my users to have access to there desktop computers from home. For
security reasons we currently allow our notebook users access through VPN.
The current policy is you have to use company equipment that is part of our
domain. Management now wants everyone to have access to there computer from
home. The issue with this is that it allows users the ability to access
corparate data from out of the office. What I want to do is limit what they
are allowed to do on the network after connecting with VPN.

For me it seems easier to restrict what they can do by giving only
access over a RDP-connection to their desktop computers in the office
instead of a full VPN-access. At least the simple terminal server I`m
using in my small LAN
(http://www.thinsoftinc.com/products_winconserver_info.html) allows
restricting of mounting of harddisks at the terminal client. So direct
copying of files between the home computer and office computer becomes
impossible.
Have a look at https://www.gotomypc.com/. It`s a web based service by
Citrix for personal use, small enterprises and corporations. I like
their restrictive passwords which are possible (one time passwords
list). Perhaps it`s a way letting your users use their PCs in the
office only as a terminal client before switching office
infrastructure to a terminal server.

Regards

Michael (not a computer professional)

 

[Michael Logies]

But
not impossible - if you told me that I couldn't copy documents direct from
your server to my home machine, yet allowed me VPN/Terminal Services access
via my desktop machine I could steal data from those documents just by
opening them and copying and pasting, and you'd never know.

It is possible to block the clipboard for this use (on a terminal
server).
Of course one still could fotograph the monitor at the client, then
some OCR...

Best Regards

Michael

 

[Guest]

We are using an SSL VPN solution to enable users to connect from home. We do
not allow drive mappings of the users home machine. This works great and
sofar the users like the ability of being able to connect from anywhere! No
worries about ports not being available, port 443 is accessible from anywhere.

 

[richlm]

You might also want to look at the "network access quarantine feature" in
Windows Server 2003.
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx

 

[Phillip Windell]

We are using an SSL VPN solution to enable users to connect from home. We do
not allow drive mappings of the users home machine. This works great and
sofar the users like the ability of being able to connect from anywhere! No
worries about ports not being available, port 443 is accessible from

anywhere.

Just how do you prevent them from mapping a drive? What difference does it
make anyway? Mapping Drives are a thing from the ancient past and there is
not any kind of access that requires a drive letter be mapped.

 

[Robert Moir]

It is possible to block the clipboard for this use (on a terminal
server).
Of course one still could fotograph the monitor at the client, then
some OCR...

Exactly - by opening this channel at all, one has to accept that we're
increasing our risk.

 

[Guest]

We prevent the mapping of a drive by configuring the SSL VPN box to not allow
this, also we do not permit this from the server.

 

[Phillip Windell]

We prevent the mapping of a drive by configuring the SSL VPN box to not

allow
But how? What exactly do you block that is going to stop drive mappings
without stopping a whole bunch of other stuff?

 

[Steven L Umbach]

You can use Remote Access Policies to configure exactly what users can
access via their VPN connection. If you create a policy you can then edit
the profile and it the IP section configure the input and output filters to
allow traffic only from and to port 3389 [ RDP] for the VPN client you want
to
restrict. You can have multiple policies and configure them with groups as a
condition if you want to give different groups different access. When you
use multiple policies always list specific policies first and then the
general ones as the first policy that a VPN client matches will apply to
that user.

http://www.microsoft.com/windows200...ndows2000/en/server/help/sag_rap_elements.htm
-- info on Remote Access Policies

Keep in mind that Remote Desktop Users can by default use drive redirection
to manipulate files during their RD session. That could be a risk for virus
infection if users are copying files back and forth between computers. I
believe you can disable that at the computer level with Group Policy. There
is no RDP Group Policy per se but I think that the pertinent Group Policy
settings for Terminal Services also apply to an XP Pro computer for RDP
where you can disable drive redirection and such. You would have to test
that out to be sure. Those settings are under computer
configuration/administrative templates/Windows components/Terminal Services
and you would want to apply them to the lan computers that the users will be
accessing via RDP. The first link below refers to using Group Policy to
manage RDP access as an example.

http://support.microsoft.com/?kbid=306300

Users using a VPN that may have compromised computers is a real concern.
Keeping your network computers patched with current critical updates, using
an AV that also monitors for malicious activity in the background and keeps
itself current with virus signatures, general hardening of the operating
system such as disabling uneeded services, and enforcing complex passwords
for domain and local accounts, will go a long way to mitigating that risk.
Beyond that you would have to look into using network access quarantine
which is a fairly complex topic that also may require extra expense in
hardware. The link below explains that in more detail if interested. ---
Steve

http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx