Remote Desktop risks through VPN

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

At the moment we do not allow users to connect to their desktops via RDP when
they connect to the company network via VPN.

What risks are involved with allowing them? I know that the desktop admins
could snoop but what other risks are there?

Any help would be appreciated.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

The risks are actually pretty minimal. The RDP protocol is encrypted, on top of your VPN connection. The worst that could happen is that users can map their local drives to the RD host. If they had a viral or other type of malware infection, it could possibly be spread that way, but since they're already VPN'd in, and probably have access to LAN resources, its really a non-issue.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"The Frustrated Monk" <TheFrustratedMonk@discussions.microsoft.com> wrote in message news:3E946A74-3E06-4C86-9680-F5056760D782@microsoft.com...
> At the moment we do not allow users to connect to their desktops via RDP when
> they connect to the company network via VPN.
>
> What risks are involved with allowing them? I know that the desktop admins
> could snoop but what other risks are there?
>
> Any help would be appreciated.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <3E946A74-3E06-4C86-9680-F5056760D782@microsoft.com>,
TheFrustratedMonk@discussions.microsoft.com says...
> At the moment we do not allow users to connect to their desktops via RDP when
> they connect to the company network via VPN.
>
> What risks are involved with allowing them? I know that the desktop admins
> could snoop but what other risks are there?
>
> Any help would be appreciated.

We setup medical companies with VPN to a firewall Appliance and then a
rule that permits RDP to the specific users desktop only. The users
authenticate with the firewall (which does not authenticate with the
Domain) and then they can open a RD connection to their workstation and
only to their workstation.

When in a RD session remotely, their desktop is locked, so other users
can't see what is happening on their computer, and it's been safe so
far.


--
--
spam999free@rrohio.com
remove 999 in order to email me

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thank you for the information!

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <eXGo$ymhFHA.1948@TK2MSFTNGP12.phx.gbl>, dknox@mvps.org
says...
> The risks are actually pretty minimal. The RDP protocol is encrypted, on top of your VPN connection. The worst that could happen is that users can map their local drives to the RD host. If they had a viral or other type of malware infection, it could possibly be spread that way, but since they're already VPN'd in, and probably have access to LAN resources, its really a non-issue.

We've done a couple RD setups like this and I would have rather had them
do it with VNC.

With the current solution we do a VPN to the Firewall appliance, the
firewall appliance has a single rule per VPN user that limits them to a
specific IPORT inside the company network. With VNC we were able to
eliminate the sharing of local computer files/services with the remote
computer files/services, but with RD we've not been able to restrict
this at the local computers desktop level.

With users running as local Users they can't change the VNC passwords
and since it only need a specific port, we don't have to worry about a
virus/compromised service on their home computer reaching the company
network as they don't ride the custom port we've setup.

--
--
spam999free@rrohio.com
remove 999 in order to email me