Access Restrictions for VPN Access to LANs

JasGot

I thought I would start this topic for discussion. This stems from setting someone up this morning to access their work PC from their home PC.

I found that I was not at all comfortable letting their home PC on the LAN. So I told them no, until we solve some issues.
I found their PC to have outdated and expired AV. No Anti-Malware, was running Windows 7, and was very far behind on updates for all applications.

So, assuming their computer was well configured and all up to date, I still think consideration should be given to access control rules for VPN access to the LAN. We don't need to damage the LAN from a crappy computer and user at home.

Normally, remote access by VPN is tightly controlled and manged by us. But there is a rush from all manner of user to get access today. Not that I am thinking about giving high risk users access to the LAN; it just started us talking about all of this in the context of what we are being asked to deal with, which is greater volume and faster response than normal.

Assuming no issues with the user or the user's home PC, I still think given the exposure of the LAN to so many more outside, uncontrolled sources; extra discussion and diligence is needed.

I am not interested in a "FFS - You should have done it THIS way!" discussion, I'm interested in open discussion about things to consider and how best to implement. I believe it is safe to assume all the people here at RepublicOfIT are interested in gathering as much knowledge as possible, and then choosing a plan of action based on any knew information learned here.

My first thoughts, AFTER determining the user and the user's PC are not a terrible threat, is to limit VPN to RDP (3389) DNS (53), and Ping (8). Since my clients are looking for remote control, I can give it to them pretty quickly with the VPN client software from their firewall and I can use AD to add some additional controls along with LDAP authentication, such as using AD to limit their logons to only the PC they typically use when at work.

What are your ideas?

JaredBusch

A VPN that is restricted to RDP is a simple and effective solution.

Nothing that we know of can "worm" through RDP.

jt1001001

Second @JaredBusch idea; this is what I am working on right now for a few employees who do not have company provided laptops.

Dashrender

What about something like MeshCentral/ConnectWise/LogMeIn instead. This removes their device from your network entirely.

JasGot

@Dashrender said in Access Restrictions for VPN Access to LANs:

What about something like MeshCentral/ConnectWise/LogMeIn instead. This removes their device from your network entirely.

Would it be best to disable drag and drop to those users?

JasGot

@JaredBusch said in Access Restrictions for VPN Access to LANs:

Nothing that we know of can "worm" through RDP.

This is really good to know!

JaredBusch

@Dashrender said in Access Restrictions for VPN Access to LANs:

What about something like MeshCentral/ConnectWise/LogMeIn instead. This removes their device from your network entirely.

Over complicated when he already has VPN capabilities.

Also none of those solutions are good for remote work. They are great for remote support, but for a "normal workday", hell no.

dafyre

This would probably be too much work to set up in a hurry, but ZT on End Users's personal device, and End Users's Company Machine.

But as @JaredBusch said, if you already have a VPN infrastructure, it'd be easiest to use that.

JaredBusch

@dafyre said in Access Restrictions for VPN Access to LANs:

This would probably be too much work to set up in a hurry, but ZT on End Users's personal device, and End Users's Company Machine.

But as @JaredBusch said, if you already have a VPN infrastructure, it'd be easiest to use that.

ZT is a good solution but I would need to look at ways to restrict it to port 3389 afterward.

black3dynamite

@JaredBusch said in Access Restrictions for VPN Access to LANs:

@dafyre said in Access Restrictions for VPN Access to LANs:

This would probably be too much work to set up in a hurry, but ZT on End Users's personal device, and End Users's Company Machine.

But as @JaredBusch said, if you already have a VPN infrastructure, it'd be easiest to use that.

ZT is a good solution but I would need to look at ways to restrict it to port 3389 afterward.

Are you familiar with ZeroTier Flow Rules? I wonder if that's a way to restrict to port 3389?

1337

If you can limit a client to just one IP and just tcp 3389 in your firewall that should be enough.

Disable shared drives or the user is able to infect the work pc with files from his home pc.

Typically when we connect with VPN to enterprise networks to do work on certain servers or what not, we get a static ip and then they have firewall rules to determine what IPs / ports we can reach. So yes, the computer we use is on their LAN but only through a very small and restricted opening that just allows RDP to just the one server we need to access. Everything else is blocked.