Re: Remote Desktop thru VPN and Network Security
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/21/05
- Previous message: Roger Abell: "Re: administrator rights"
- In reply to: TJM: "Remote Desktop thru VPN and Network Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 21 Jan 2005 02:38:53 -0600
You can use Remote Access Policies to configure exactly what users can
access via their VPN connection. If you create a policy you can then edit
the profile and it the IP section configure the input and output filters to
allow traffic only from and to port 3389 [ RDP] for the VPN client you want
to
restrict. You can have multiple policies and configure them with groups as a
condition if you want to give different groups different access. When you
use multiple policies always list specific policies first and then the
general ones as the first policy that a VPN client matches will apply to
that user.
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_rap_elements.htm
-- info on Remote Access Policies
Keep in mind that Remote Desktop Users can by default use drive redirection
to manipulate files during their RD session. That could be a risk for virus
infection if users are copying files back and forth between computers. I
believe you can disable that at the computer level with Group Policy. There
is no RDP Group Policy per se but I think that the pertinent Group Policy
settings for Terminal Services also apply to an XP Pro computer for RDP
where you can disable drive redirection and such. You would have to test
that out to be sure. Those settings are under computer
configuration/administrative templates/Windows components/Terminal Services
and you would want to apply them to the lan computers that the users will be
accessing via RDP. The first link below refers to using Group Policy to
manage RDP access as an example.
http://support.microsoft.com/?kbid=306300
Users using a VPN that may have compromised computers is a real concern.
Keeping your network computers patched with current critical updates, using
an AV that also monitors for malicious activity in the background and keeps
itself current with virus signatures, general hardening of the operating
system such as disabling uneeded services, and enforcing complex passwords
for domain and local accounts, will go a long way to mitigating that risk.
Beyond that you would have to look into using network access quarantine
which is a fairly complex topic that also may require extra expense in
hardware. The link below explains that in more detail if interested. ---
Steve
http://www.microsoft.com/windowsserver2003/techinfo/overview/quarantine.mspx
"TJM" <tjmurad@hotmail.com> wrote in message
news:%23fTzRrM$EHA.3700@tk2msftngp13.phx.gbl...
>I want my users to have access to there desktop computers from home. For
>security reasons we currently allow our notebook users access through VPN.
>The current policy is you have to use company equipment that is part of our
>domain. Management now wants everyone to have access to there computer from
>home. The issue with this is that it allows users the ability to access
>corparate data from out of the office. What I want to do is limit what they
>are allowed to do on the network after connecting with VPN. I want them to
>only be able to use Remote Desktop to access the network. We don't want
>them coping files to there local systems.
>
> Is there a way of doing this in the Windows VPN client? What happens if
> the employees home computer has a virus of is not using a firewall? What
> other security issues should I consider doing this.
>
> Tim M
>
>
- Previous message: Roger Abell: "Re: administrator rights"
- In reply to: TJM: "Remote Desktop thru VPN and Network Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
