Also, change the default port for RDP, require encryption (that's also a group
policy), use an ssh tunnel if you can.
Here's a web page I found:
http://www.mobydisk.com/techres/securing_remote_desktop.html
----- Original Message ----
From: Dave Spillers <DSpillers@centiv.com>
To: Petter Bruland <pbruland@fcglv.com>; jenna <jennasec-focus@yahoo.co.uk>;
security-basics@securityfocus.com
Sent: Friday, January 18, 2008 3:12:48 PM
Subject: RE: Remote desktop access policy
I also have my users connecting and using the RDP, for very similar
reasons. I also have users that are remote offices with different
network/subnets Ie. We may be 192.168.1.X and they are 192.168.2.X and
they can not RDP to us. There is a spot to enter the subnets that are
allowed to RDP to systems on the 1.x but I can't remember where.
I
know
I changed it at one point to add one of the remote offices but cant
remember now where. I thought it was a group policy but cant find that
any help jogging my memory would be GREAT!
David S
-----Original Message-----
From:
listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of Petter Bruland
Sent: Friday, January 18, 2008 12:16 PM
To: jenna; security-basics@securityfocus.com
Subject: RE: Remote desktop access policy
The issue with that is that "important" people can't wait for a large
file to transfer to their home PC, in order for them to work on it.
Working via RDC is a faster and better solution for them.
And when you do work from home in the evening/morning, you can
disconnect when you're done, then when you get to the office and log in
everything is where you left it. Well, except the days when we roll out
Windows updates.
Plus if a firewall/VPN setup is configured to only allow RDC traffic, I
would think that's better than allowing full/partial direct
server.
Also
with a semi locked down VPN connection only allowing RDC, I would think
that the importance of a "clean" end-user machine isn't as important as
if they had more access.
-Petter
-----Original Message-----
From:
listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]
On Behalf Of jenna
Sent: Friday, January 18, 2008 9:10 AM
To: security-basics@securityfocus.com
Subject: Re: Remote desktop access policy
Hi
My main concern would be why they requre access to their desktop.
Anything to do with the business should be on a file server to
ensure
it
gets backed up. Users would then only need access to the server thus
negating the need to leave their desktops left on.
If you allow any access to your network, ensure you have a tool in
place to check that their home machine has an updated AV as well as MS
updates. Users will also be able to copy files to their home
machine
so
ensure this is covered by the policy and ensure everybody is aware
-
you
could ask people to sign a form acknowledging this.
Jenna
----- Original Message ----
From: WALI
To: security-basics@securityfocus.com
Sent: Friday, 18 January, 2008 1:33:18 PM
Subject: Remote desktop access policy
Hi guys...do you have any remote desktop policy clauses that you can
share?
I am having difficulties in trying to tell people the hazards of
haphazardly asking IT guys the perils of asking access to
their
desktops
when the come in via VPN.
Everyone wants to have a VPN client and then to a remote
desktop
session
to their desktop.
How can I tell them the threats of doing so? Are there any threats?
Should I restrict such usage? For one, it makes a lot of economic sense
to switch off PC once a user leaves his/her desk for the day.
___________________________________________________________
Support the World Aids Awareness campaign this month with Yahoo! For
Good http://uk.promotions.yahoo.com/forgood/
