Looking for solutions to allow remote users access to their internal psychical computers
-
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
I'm not entirely sure how you solve that?
If you allow the RDP to save credentials, you remove the clunk after connection for the first time. Then they authenticate with VPN and 2FA, followed by a saved credential RDP connection. Not my preference, but it is a way to de-clunkify the double login.
-
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this.
We use our Firewall appliance to restrict traffic to port 3389 in the VPN, RDP is a pretty safe protocol. Jared said we don't know of anything that can penetrate it. Maybe he can add some light to the safety of RDP if you need more info.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
Just adding 2FA to RDP is a better option.
Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels.
-
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this.
We use our Firewall appliance to restrict traffic to port 3389 in the VPN, RDP is a pretty safe protocol. Jared said we don't know of anything that can penetrate it. Maybe he can add some light to the safety of RDP if you need more info.
RDP uses the same tech as most VPNs. It's extremely safe as a protocol. It's the assumed ties to AD that make it risky.
-
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
Just adding 2FA to RDP is a better option.
Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels.
You'd have to open something, but not necessarily 3389.
A VPN also has to have a port open. So that particular risk remains the same with either approach.
-
I know this is late to the discussion, but the State of Kentucky uses two different types of VPN connections.
PaloAlto Applicance
And SSL-VPN -which opens RDP session to the end users desktop. The desktop has to be defined in the parameters.
The SSL-VPN is routed via a Third Party. Open a browser, log in, click your RDP session and there you go...
-
@JaredBusch said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I know this topic is all the buzz right now..
Currently we are having our users remotely access their internal computers by using secured laptops as "dumb terminals" as they establish an SSLVPN connection to our firewall/security appliance and then RDP from said laptop into their workstation. It works ok but the user experience is clunky with multiple logins and we have had various issues/concerns and hope to eventually get something in place that works better.
I was looking at Citrix and VMware Horizon 7 and they have some "remote to PC" options that are included with each of their main packages. It would obviously be a waste to purchase an expensive product for the purpose of using one single side-feature that lets remote users access their internal company computers. So I wanted to see if you guys could provide any suggestions.
I understand there may be a lot of resistance here against a lot of these products since they are big and expensive and may not be wise business choices, but I am trying to work with what I have and what I know and I know that I don't know much..
If anyone can point to a product/service/mixture of technologies that would help users directly connect to their internal computers while providing a simple and solid user experience, that would be a huge help.
ZeroTier (with Flow rules) + RDP is how I solved this for my clients.
After reading everything, this is honestly the simplest and most transparent to the users. You don't need an RDS gateway, you don't need to sign into a VPN. Clients are allowed on the SD-WAN by a centralized control and then the users can just RDP to their desktops.
It's two steps:
- Login into local machine
- RDP into desktop.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Pete-S said in Looking for solutions to allow remote users access to their internal psychical computers:
And you have zero or little control over the traffic outside the VPN, unless you have some security in place for this.
We use our Firewall appliance to restrict traffic to port 3389 in the VPN, RDP is a pretty safe protocol. Jared said we don't know of anything that can penetrate it. Maybe he can add some light to the safety of RDP if you need more info.
RDP uses the same tech as most VPNs. It's extremely safe as a protocol. It's the assumed ties to AD that make it risky.
That's interesting - how does the assumed ties do that? I'm not disagreeing, just not understanding.
As for the safety of RDP - on the surface I agree with Scott, RDP does use the same tech as VPNs and I assume SSH as well. Unfortunately, even recently RDP has been found to have authentication bypass flaws. I'm assuming SSH doesn't mainly because it's so old, and open source.
-
@stacksofplates said in Looking for solutions to allow remote users access to their internal psychical computers:
@JaredBusch said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I know this topic is all the buzz right now..
Currently we are having our users remotely access their internal computers by using secured laptops as "dumb terminals" as they establish an SSLVPN connection to our firewall/security appliance and then RDP from said laptop into their workstation. It works ok but the user experience is clunky with multiple logins and we have had various issues/concerns and hope to eventually get something in place that works better.
I was looking at Citrix and VMware Horizon 7 and they have some "remote to PC" options that are included with each of their main packages. It would obviously be a waste to purchase an expensive product for the purpose of using one single side-feature that lets remote users access their internal company computers. So I wanted to see if you guys could provide any suggestions.
I understand there may be a lot of resistance here against a lot of these products since they are big and expensive and may not be wise business choices, but I am trying to work with what I have and what I know and I know that I don't know much..
If anyone can point to a product/service/mixture of technologies that would help users directly connect to their internal computers while providing a simple and solid user experience, that would be a huge help.
ZeroTier (with Flow rules) + RDP is how I solved this for my clients.
After reading everything, this is honestly the simplest and most transparent to the users. You don't need an RDS gateway, you don't need to sign into a VPN. Clients are allowed on the SD-WAN by a centralized control and then the users can just RDP to their desktops.
It's two steps:
- Login into local machine
- RDP into desktop.
If you want to manage everything from top to bottom, Tinc exists, but I don't see the value over ZeroTier. Especially getting into things like having multiple networks and flow rules.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
Just adding 2FA to RDP is a better option.
Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels.
You'd have to open something, but not necessarily 3389.
A VPN also has to have a port open. So that particular risk remains the same with either approach.
If you're saying you have to open a port to allow VPN to function, and that is the same risk as opening a port for RDP, then I agree with you.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
RDP uses the same tech as most VPNs. It's extremely safe as a protocol. It's the assumed ties to AD that make it risky.
We connect with VPN to the Gateway Appliance, then RDP to the LAN desktop. You can't do #2 until you've done #1.
So, we have an added layer of protection by preventing access to AD until after you VPN to the appliance.Good discussion here....
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
-
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
At first glance, that's the best one yet.
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
That is horrible by default
-
@JaredBusch said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
That is horrible by default
++74Why/do|YOU/say|ThAt|*11^
-
@JaredBusch Yeah, you do have to click the XKCD button, and the site looks like I threw it up.
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
Yes, but I like https://xkpasswd.net/s/ more.
Thank you! I have a new favorite toy to play with!
-
@stacksofplates It's probably that @JaredBusch didn't see the section for presets. It's cool. Two out of three IT Pros liked it, and @JaredBusch is a Negative Nancy for many other things, so no surprise that he hated it.