My answer to most things remote-access related is OpenVPN. Make the users establish the VPN connection, and tunnel whatever they need through that (don't allow any direct access to resources over the Internet). Tie OpenVPN authentication to your domain, add granular rules by user, and you have an answer. You can even let them keep their RDP autologin for now, and fight the desktop battle later. OpenVPN does require local admin rights on Windows (for now, they're working on solving that), but I bet your road warriors have admin rights on their systems.
Jack On Wed, Aug 11, 2010 at 2:28 PM, Tyler Robinson <[email protected]>wrote: > Alright so after failing a recent security audit which I knew we would I > have a little bit of fire to allow me to make some corp changes one of them > being remote devices and policy. Currently there are mobile devices > unencrypted, and with cheesy passwords out on the road using unsecured RDP > to connect back to our terminal server to use apps, My question is what is > going to be an easy to roll out solution to make this situation secure I > worry that one of these devices will get stolen or sniffed and the terminal > server is on the LAN with the rest of everything , it’s a flat domain… so > how to I allow remote connections securely without allowing them to save > there stupid RDP Connection credentials(set to autologin) on an unpassworded > desktop. Any ideas or suggestions I have one year to plan, implement and > change this broken system, over about 10 corps all releated and setup the > same…. > > Thanks as always to everyone, > > TR > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
