How do remote workers connect to your organization’s network?
(Last updated on April 1, 2020)
As COVID-19 drives organizations to remote work, IT admins must suddenly increase the number of remote users they’re supporting. Not only do they need to ensure that these users have what they need to work efficiently, but they also need to prepare for any potential security risks.
As a part of your work-from-home policy, you will need a viable and secure way of granting access to network resources. Options for remote access include RDP and VPN. Both of which are being targeted by cybercriminals. In this blog you will find our best practice tips for setting up RDP and VPN.
RDP access is the more complicated of the two. First, you need to decide whether you want to present specific applications, or the entire desktop to the user. You will need a server, a remote desktop gateway server (the public facing system), public name/IP address, and a way to publish this external server securely (i.e. a reverse proxy of some kind). You will also have to account for licensing from Microsoft. If you want the extra bells and whistles that third-party solutions provide e.g. Citrix, VMware etc., that will also require licensing.
Monitoring and controlling the usage of RDP access can be done using two standard Microsoft Server Roles – Remote Desktop Gateway Manager, and Network Policy Server. You can secure it using an SSL certificate, and by only allowing specific users and machines to connect, or be connected to. You will also have the standard event logs to keep an eye on.
If you are building a true virtual desktop infrastructure, the server(s) are usually domain joined and on your regular Server VLAN. VDI is supposed to behave like a regular on-prem workstation, with all the same baseline software e.g. Office, Adobe, and other line of business applications. For added security, you could place it in a DMZ and restrict access using firewall rules to protect other internal systems that your users wouldn’t normally access.
RDP typically grants access via password only. This is concerning as RDP brute-forcing is a common attack method. Consider specifying a stronger password policy at the very least, or looking at third-party 2FA or MFA solutions.
Getting started with VPN access can be pretty simple, but you need to make sure you do it properly. First, you will need to choose a secure protocol e.g. L2TP, IPSEC, or SSL. Make sure you do not use a deprecated VPN technology such as PPTP. Next, you will need a public IP address. It is usually a good idea to set a public DNS name if users are having to type in the address, e.g. vpn.company.com. You should also define a separate IP subnet for the VPN connections so that it is easier to filter traffic, track, audit, and troubleshoot.
Always On VPN solutions like Direct Access are worth looking at, but be aware that Direct Access only works with domain joined devices. It will not support home computers, or non-Windows devices, which means you might need a regular VPN as well. The great thing about the Always On VPN is that there is nothing to do from the user perspective. The domain joined Windows device will work in exactly the same way as it would when connected to the office LAN (albeit a bit slower). Group policy, password change notifications, and updates to cached credentials after a password change will happen seamlessly.
Remember, if you’re not using a password reset service with your user launched VPN (as opposed to Direct Access), users that are off network will not receive password expiry notifications. When their password eventually expires, they usually won’t be able to connect to the VPN (because it’s the expired password that authenticates the VPN). In that scenario, they will need to contact the service desk for a new password. However, the new password can’t be used straight away as the old password will still be cached on the laptop. The following is a workaround for the cached credential problem when using a VPN:
- When the service desk resets the password, they will have to leave the “User must change password at next logon” box unticked.
- The user can connect to the VPN with the password provided by the service desk, but will have to ensure that any device, e.g. mobile phone, attempting to connect to their account with their expired password, is turned off.
- The user should create a new password that is not known to the helpdesk. They will use CTRL + Alt + Delete and enter their old password (the one just set by the service desk) and a new password that they create.
- The user will need to lock the screen, and unlock the screen with their new password to synchronize the cached credentials with the credentials set on Active Directory.
Of course, our password reset solution can always update the locally cached credentials, even when a domain controller can’t be reached directly by the user. You can use our free password auditor tool to identify which user passwords are going to expire. You can also find any accounts using the same password, and even compromised passwords. This can help you identify users with upcoming password expirations, as well as ensure that they are changing the default password given to them by the helpdesk.