Security For BYOD RDP?

We would like users to be able remotely access their desktop PC from their personal laptops over a VPN connection, but we need them to have no access other than viewing the screen and remote controlling it.  No file transfer or drive redirection, no
printer redirection and no other way to transmit malware over the network if their personal laptop is infected.
Since these would be personal laptops we do not manage and are not joined to our domain, they would not recognize any group policies we apply. The restrictions would need to be enforced from their desktop PC, not their personal laptop.  They connect
directly to their desktop PC over VPN and then RDP.   There is no terminal server used.
Also is there any way to prevent copy and paste, drive redirection and printer redirection over RDP from a domain computer to non-domain computers, but allow it between two domain-joined computers?

On Mon, 3 Feb 2014 17:59:06 +0000, MyGposts wrote:
Would there be any risk to the Remote Desktop Gateway server or the internal network if someone used a malware-infected home PC to connect to the RDG server?
Potentially yes, but no more so than when connecting via a VPN.
Is there any way to prevent users from logging to RDS using only saved credentials that can be used by anyone if their home PC or laptop, iPad or Android tablet used for RDS connections is stolen?  
Most people have no encryption on their personal devices, so any laptop thief will be able to crack the Windows password with easily available Windows password reset tools and then log in and access the RDS site (likely bookmarked in IE) and then log into the
work network using the saved "remembered" credentials.
Out of the box RD Gateway in 2012 and 2012 R2 support smart card logon so
that would mitigate somewhat. It also supports pluggable authentication
methods so that you could potentially use other methods for 2FA or MFA.
The security risks in using an RD Gateway really aren't any greater than
using a VPN. What an RD Gateway allows you that I'm not sure can be
achieved with a VPN solution is one set of access policies for those
external to your network and a different set for those on your internal
network.
RDS specific questions would be better posted here:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS
Paul Adare - FIM CM MVP
When in doubt, use brute force. -- Ken Thompson
I was looking for something that has a smaller security risk for malware transmission than RDP over VPN.  If it is only "not any greater," rather than actually "better and safer," then that seems like makes it a waste of time and
money for us to implement RD Gateway.  We could just let users connect with a VPN client directly to their desktop as they are used to doing.
It seems like it "should be" safer since it seems more difficult to transmit malware from an infected PC over a RDG connection than through VPN which may have other ports open plus users may be able to connect to network shares and mount drives
through the Remote Desktop MSTSC.exe application and that should not be available when using RD Gateway. 
Is there something else I'm missing that makes the risk of malware transmittal and data loss no lower when using a RD Gateway to reach a workstation from outside than when using VPN with a direct connection to reach a workstation?

Similar Messages

  • Ask the Expert: Integrating Cisco Identity Service Engine (ISE) 1.2 for BYOD

    With Eric Yu and Todd Pula 
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions  about integrating Cisco ISE 1.2 for BYOD with experts Eric Yu and Todd Pula.
    Cisco Bring Your Own Device (BYOD) is an end-to-end architecture that orchestrates the integration of Cisco's mobile and security architectures to various third-party components. The session takes a deep dive into the available tools and methodologies for troubleshooting the Cisco BYOD solution to identify root causes for problems that stem from mobile device manager integration, Microsoft Active Directory and certificate authority services, and Cisco Enterprise Mobility integration to the Cisco Identity Services Engine (ISE). 
    Todd and Eric recently delivered a technical workshop that helps network designers and network engineers understand integration of the various Cisco BYOD components by taking a deep dive to analyze best practice configurations and time-saving troubleshooting methodologies. The content consisted of common troubleshooting scenarios in which TAC engineers help customers address operational challenges as seen in real Cisco BYOD deployments.
    Eric Yu is a technical leader at Cisco responsible for supporting our leading-edge borderless network solutions. He has 10 years of experience in the telecommunications industry designing data and voice networks. Previous to his current role, he worked as a network consulting engineer for Cisco Advance Services, responsible for designing and implementing Cisco Unified Communications for Fortune 500 enterprises. Before joining Cisco, he worked at Verizon Business as an integration engineer responsible for developing a managed services solution for Cisco Unified Communications. Eric holds CCIE certification in routing and switching no. 14590 and has two patents pending related to Cisco's medianet.   
    Todd Pula is a member of the TAC Security and NMS Technical Leadership team supporting the ISE and intrusion prevention system (IPS) product lines. Todd has 15 years of experience in the networking and information security industries, with 6 years of experience working in Cisco's TAC organization. Previous to his current role, Todd was a TAC team lead providing focused technical support on Cisco's wide array of VPN products. Before joining Cisco, he worked at Stanley Black & Decker as a network engineer responsible for the design, configuration, and support of an expansive global network infrastructure. Todd holds his CCIE in routing and switching no. 19383 and an MS degree in IT from Capella University.
    Remember to use the rating system to let Eric and Todd know if you have received an adequate response.
    Because of the volume expected during this event, Eric and Todd might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity AAA, Identity and NAC, shortly after the event. This event lasts through November 15, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

    Hi Antonio,
    Many great questions to start this series.  For the situation that you are observing with your FlexConnect configuration, is the problem 100% reproducible or is it intermittent?  Does the problem happen for one WLAN but not another?  As it stands today, the CoA-Ack needs to be initiated by the management interface.  This limitation is documented in bug CSCuj42870.  I have provided a link for your reference below.  If the problem happens 100% of the time, the two configuration areas that I would check first include:
    On the WLC, navigate to Security > RADIUS > Authentication.  Click on the server index number for the associated ISE node.  On the edit screen, verify that the Support for RFC 3576 option is enabled.
    On the WLC, navigate to the WLANs tab and click on the WLAN ID for the WLAN in question.  On the edit screen, navigate to Security > AAA and make sure the Radius Server Overwrite interface is unchecked.  When this option is checked, the WLC will attemp to send client authentication requests and the CoA-Ack/Nak via the dynamic interface assigned to the WLAN vs. the management interface.  Because of the below referenced bug, all RADIUS packets except the CoA-Ack/Nak will actually be transmitted via the dynamic interface.  As a general rule of thumb, if using the Radius NAC option on a WLAN, you should not configure the Radius Server Overwrite interface feature.
    Bug Info:  https://tools.cisco.com/bugsearch/bug/CSCuj42870
    For your second question, you raise a very valid point which I am going to turn into a documentation enhancement request.  We don't currently have a document that lists the possible supplicant provisioning wizard errors that may be encountered.  Please feel free to post specific errors that you have questions about in this chat and we will try to get you answers.  For most Android devices, the wizard log file can be found at /sdcards/downloads/spw.log.
    As for product roadmap questions, we won't be able to discuss this here due to NDA.  Both are popular asks from the field so it will be interesting to see what the product marketing team comes up with for the next iterration of ISE.
    Related Info:
    Wireless BYOD for FlexConnect Deployment Guide

  • BUG: RV042 (1.3.12.19-tm) not ready for Win7 RDP ?

    Hello,
    we used a CISCO RV042 with Firmware version:  1.3.12.19-tm  (CPU: Intel IXP425-266, DRAM: 32M, Flash: 8M) with a  "Gateway to Gateway" VPN Tunnel connected to a CISCO1921/K9-SEC with ZBF. The  Tunnel works fine.
    A connection to a WinXP (Professional) RDP works permanent. Then we had to connect to a Win7 (Professional) RDP: the  connection was established, but is canceled with different  error-messages by the "RDP-Server" on the "RV042 LAN". Problems with the  host-cert or RDP-Server not ready was announced. (???) We started a trouble-shooting on both sides and can't find a clear statement in the log-data on CISCO or Windows Harwdare.
    Then we replaced the RV042 with a RV042G V01 with Firmware version: 4.2.1.02 -
    No problems with RDP to Win7 RDP anymore !
    We only chnaged the hardware - VPN configuration on CISCO1921 and RV042G was not changed.
    Is RV042 (1.3.12.19-tm) not ready for Win7 RDP ?
    Grüße
    Stefan

    dondersconsulting schrieb:it works fine with Server 2008R2 RDP, which should be same as Win7.
    You are using a IPSec Tunnel to an RV042 (not the Client feature!) and you can connect to an Server 2008R2 to RDP trough the tunnel ?
    dondersconsulting schrieb:Are you connecting the RDP session through the VPN? If so, I'm not sure why the RV042 would have anything to do with the RDP session.
    Yes, we are connecting via IPSec from a CISCO1921 to the RV042. I think that the RV042 has problems with it's own Stateful Firewall related to the local routing throug the IPSec tunnel. In this case the RDP protocol has changed on the Microsoft side from to .
    dondersconsulting schrieb:If you are connecting directly through the internet using Forwarding or UPnP, then it should work fine.
    Thats not our setup and is far away from any security policies on our side ...
    dondersconsulting schrieb:The only thing that throws a flag for me is the certificate message.  The RV042 uses an SSL cert for various things, but there is no clear way to refresh this cert when it gets corrpted.  For some reason it is hidden in the VPN client setup - look for the button at the bottom that says "Generate" - use this to create a new certificate, then save the settings and reboot the router.I'm not sure that this is the issue, but it shouldn't hurt anything to reset the certificate.  If you have a valid signed certificate to import, that might be even better.
    The Certs you discribe are going with the "Client To Gateway" feature and we are using "Gateway To Gateway" feature.
    I think the RV042 is working fine with the IPSec-Tunnel Feature "Gateway To Gateway". It works fine with WinXP Hosts connecting RDP through the tunnel - but using Win7 RDP the RDP Sessiopn breaks with all avaiable Error Messages in a random output on any Win-Client (WinXP and Win7) - we teste with 5 ! different machines ...
    I looks like Firewall Bug on the RV042.

  • Error while "Enabling Security for Oracle Management Service"

    Hi,
    I have installed OEM 10GR1 on Solaris 9. I am using 9.2.0 database for repository.
    My first installation of OEM and agent went smoothly, and everything was working fine.
    Then, I tried to follow configurating security for Grid Control Framework. I got following error:
    /oracle/app/oracle/product/10gEM>cd bin
    /oracle/app/oracle/product/10gEM/bin>./emctl secure oms
    Oracle Enterprise Manager 10g Release 10.1.0.3.0.
    Copyright (c) 1996, 2004 Oracle Corporation. All rights reserved.
    Enter Enterprise Manager Root Password :
    Enter Agent Registration password :
    Enter a Hostname for this OMS :
    Checking Repository... Done.
    Checking Repository for an existing Enterprise Manager Root Key... Done.
    Generating Enterprise Manager Root Key (this takes a minute)... Done.
    Fetching Root Certificate from the Repository... Done.
    Generating Registration Password Verifier in the Repository... Done.
    Generating Oracle Wallet Password for Enterprise Manager OMS... Done.
    Generating Oracle Wallet for Enterprise Manager OMS...Missing /oracle/app/oracle/product/10gEM/sysman/wallets/oms.uxtora1/ewallet.p12
    :/oracle/app/oracle/product/10gEM/bin>
    Please help.

    Thanks for response. I had temp space full issue with repository database. After bouncing database, the temp tablespace became empty, and the secure operation went smooth.

  • " plug-in name does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari Security "Manage Website Settings"?

    Hi,
    Wondering why "<plug-in name> does not support the highest level of security for Safari plug-ins" appear for some plugins in Safari > Security > "Manage Website Settings"?
    Have been trying to get to the root cause of the problem but did not find much on this. I am trying to figure out what can get the warning to go away completely than using the Allow/Always Allow options for the plug-in
    Thanks,
    Shyam

    Hi Linc,
    Thank you for your response. Here is the screenshot of the warning that I am talking about.
    Here is what I do:
    1. Launch Safari and open its Preferences. I have Safari 7.1 installed on my machine.
    2. Click Security Tab and click Manage WebSite Settings
    3. A window opens showing me all the Plug-ins that I have (listed on the left hand side).
    4. One of them is the Adobe Reader plug-in. When I click Adobe Reader, the following details about the plug-in show up on the right
    I was referring to the highlighted section that warns me about this plug-in not using the highest level of security for Safari Plug-ins.
    Note: I do not see this for all my plug-ins (QuickTime, Adobe Flash Player don't give me this warning) which tells me that there is a way to make the warning go away.
    Thanks again,
    Shyam

  • Security for creating web templates using web application designer

    I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
    The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in addition to the basic end user or report builder authorizations?
    Any help would be greatly appreciated.
    Jeff Ehritt
    925 827-6012
    ChevronTexaco

    Thanks Marc, I'll check it out. My problem was that I was trying to create the role by granting a userid sap_all, sap_new and s.a_system as well as power user auths for a specific application. I set up a trace in ST01 for authorization cking on the ID while one of our BW Central Support people went into Web Designer to create a template and everything else they wanted to do.
    The resulting trace spewed out so much stuff from S_RS_comp and comp1 as to be virtually useless since it named scores of different cubes and infoareas that the analyst wasn't even interested in. The results puzzled me and made it extremely difficult to pin down the required authorizations. Usually ST01 can be used as a blueprint to create the role,ie; everything that the user touches is traced but no more than that. Have you seen this before? With just the new role I had set up the user could not save to a role unless I coded the fully qualified role name such as YRH_SENDAT_USER. YRH* would not work.
    Thanks,
    Jeff Ehritt
    ERP COE SAP BW Security

  • Security For BW Web Application Designer

    I work for ChevronTexaco as a BW Security Analyst. I have a request to set up roles for web template creation using the Web Application Designer. Where can I get help in setting up the security for these types of roles? My experience is in setting up roles for running and creating queries in BEX. I need to know what additional authorizations will enable web template creation. Setting up a trace in ST01 has been less than helpful since it dumps out tons of RS_COMP tracing that doesn't help me much.
    The user wants to be able to create web templates for existing queries in BEX and restrict by rs_comp infocubes/areas/reportid, etc. and to be able to save to restricted role names. Are there new auth groups specific to this type of activity that I need to code for in adition to the basic end user or report builder authorizations?
    Any help would be greatly appreciated.
    Jeff Ehritt
    925 827-6012
    ChevronTexaco

    Hi Jeff,
    there are no special authorization objects for Web Templates. RS_COMP will still only work for queries, structures.... Saving to roles requires certain authorizations for the role (s_agr_*), here you can define the roles you can save templates to.
    Regards, Klaus

  • I have a 4 yr. old iMac. I recently got a trojan on it that sent out emails to my address book. I got Norton Internet Security for Mac, and now my Mac is running slow, with way too many spinning beach balls of death. Was it a mistake to install Norton?

    I have a 4 yr. old iMac. I recently got a trojan on it that sent out emails to my address book. I got Norton Internet Security for Mac, and now my Mac is running slow, with way too many spinning beach balls of death. Was it a mistake to install Norton?

    yankeecat wrote:
    I have a 4 yr. old iMac. I recently got a trojan on it that sent out emails to my address book.
    There is no such Trojan or other malware known today that will do that using OS X nor has there ever been one. The most probable explanation is that somebody hacked into your e-mail account on the server, so you should change that password to something stronger right away. If it had come from your Mac then there would almost certainly be copies of those messages in your Sent Mail mailbox.

  • Internet security for my macbook pro

    need some advice do i need internet security for my macbook pro it has been sugested that apple devices dont get virises?  if so thats the best one to buy

    You don't need any.

  • Unable to validate security for resource 'EXTRANETLOOK'

    We have UCM 10gR3 installed. We have Extranetlook component installed along with WebDAV. Currently when the users take any action that they don't have privilege to, they come accross Unable to validate security for resource 'EXTRANETLOOK'error message. Before it use to give exact error message so that it was easy for us to troubleshoot. Recently due to some changes in the settings in the system, we started seeing this error message instead of actual error message something like Unable to retrieve page. User 'abc ' does not have sufficient privileges. Is there a way to suppress thie Extrenet look error message so that the actual message comes through?
    thanks,

    Thanks for the response Bernhard. I'd like to address some of the points you mentioned:
    possibly you have not the permissions to add resources
    -I am an owner of both the PWA and the project subsite
    there are no resources inside your project plan (you have to use the "Build Team" in the Ribbon)
    -I checked the "Build Team" list and confirmed there are a dozen users in there
    not each view allows you to edit each field
    -I've tried switching views and noticed that there are other fields that I cannot add values into including: Actual Start, Actual Finish, Baseline Finish, % Work Complete. I am able to change the Task Name, Start, Finish.
    Very strange problem. Im still doing development on it but obviously cant roll this into production when users cannot add information to tasks.

  • I have 2 point security for AppleID. My iPhone 4S is listed as my trusted phone to text. No tel. no. is given. I am updating to iPhone 6Plus with same tel. no. Do I need to change anything for the sign in verification?

    I have 2 point security for AppleID. My iPhone 4S is listed as my trusted phone to text. No tel. no. is given. I am updating to iPhone 6Plus with same tel. no. Do I need to change anything for the sign in verification?

    Of course You can also add your iPhone telephone # as a trusted device.
    This way when you insert your SIM card into any phone, Apple will automatically recognize your cell phone # as a
    trusted device (may be handy if iphone breaks but you insert SIM card into another phone).
    HOWEVER:
    Having also your iPhone as a trusted device, is convenient if you travel and use a different SIM card
    at destination. This way you can still use the iphone for verification, even though you are using a different
    phone #.
    Regards

  • How to configure Symantec Mail Security for SMTP & Messaging Server 6.3

    Hi!
    I want to install a Symantec Mail Security for SMTP 5.0.1(host1) with Messaging Server 6.3 (in production - host2), but when I try to access to POP protocol to send a message from Internet, the system display a message with a relay problem.
    - Could you help me with this issue?,
    - Do you know some documentation that speaks of this?. I can't find any documentation that explain how to configure and integrate SMS and Messaging Server. Thanks in advance.
    Regards, CR

    ctemp1 wrote:
    I want to install a Symantec Mail Security for SMTP 5.0.1(host1) with Messaging Server 6.3 (in production - host2), but when I try to access to POP protocol to send a message from Internet, the system display a message with a relay problem.I take it that you have configured the symantec software like this?
    internet -> symantec mail security system -> sun messaging server -> recipientA better approach is the following
    internet -> sun messaging server -> recipient
                              |
                             V
                  symantec mail security system(refer here: http://blogs.sun.com/factotum/entry/messaging_server_correctly_deploying_the)
    - Do you know some documentation that speaks of this?. I can't find any documentation that explain how to configure and integrate SMS and Messaging Server. Thanks in advance.There is no documentation specifically for symantec software but we do document how to send emails via the symantec mail security server using the aliasdetourhost channel keyword:
    http://docs.sun.com/app/docs/doc/819-4428/6n6j42615?a=view#bgaqy
    Regards,
    Shane.

  • How do I delete Kaspersky Security for Mac

    I have tried to delete Kaspersky Security for Mac many times but the icon still comes up to tell me to renew. How do I delete the icon and the program?

    You can contact Kaspersky support for uninstall issues here.
    Anti virus software is invasive and difficult to remove. If you can't resolve the problem directly from Kaspersky, backup all important data then reformat the disk and reinstall OS X.
    For v10.7 Lion, v10.8 Mountain Lion, or v10.9 Mavericks:  Startup your Mac while holding down the Command + R keys. From there you should be able to access the built in utilities to reformat the disk and reinstall OS X.
    For OS X prior to v10.7, startup from your install disc while holding down the C key.

  • What is the best internet security for mac

    what is the best internet security for mac

    You may find this User Tip on Viruses, Trojan Detection and Removal, as well as general Internet Security and Privacy, useful: The User Tip seeks to offer guidance on the main security threats and how to avoid them.
    https://discussions.apple.com/docs/DOC-2435

  • Any good articles or case studies on using MS technologies for BYOD in education settings ?

    Looking to see if any good articles or case studies on using MS technologies for BYOD in education settings ?  (schools, colleges etc)

    Check if this helps:
    http://www.microsoft.com/en-us/download/details.aspx?id=39681
    Yuri Diogenes [MSFT] - http://blogs.technet.com/yuridiogenes

Maybe you are looking for

  • HT201210 Stuck in recovery mode loop on ipad1 with blank screen!!!! After updating to 5.1.1 and error code 37.

    Help! i dont know what to do. I need this iPad for college and it's stuck in recovery mode but the screen is blank. I tried downloading to newest itunes, press and hold both home button and power button. NO Joy! i shouldn't have ever updated! It work

  • Losing AS function after a button skin is applied

    I am charged with skinning an existing Flex app that works... prior to my application of skins. I am a novice at this, so please forgive code that is sloppy. There are two types of buttons and they require different skins. I have put one skin in the

  • Mouse Driver

    Hi guys- Recently I heard Logitech updated their drivers to work with our new Macs. I'm not entirely sure if this is accurate or not. I found a link which downloaded a new version of Logitech Control Center. Since downloading that, my Logitech G5 mou

  • IPrint on Mac -- printer not available

    Hi! OES 11 SP1. MacBook Air (Apple Mac OS X). Just few days ago installed printer and printed out page and everything was ok, but today "printing", but nothing happen. Then I uninstalled printer and tried to install again, but ... "iPrinter encounter

  • Busco solución para RTL8187 Wireless LAN Adapter de Realtek

    Tengo una antena realtek externa (RTL8187) y desde que he actualizado a mountain Lion no abre la aplicación, al parecer parece que el programa no soporta un software de 64 bits, solo necesito saber si alguien conoce algún otro driver de realtek (aunq