Looking for solutions to allow remote users access to their internal psychical computers
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
Just adding 2FA to RDP is a better option.
Wouldn't you need to open port 3389 to the public if your users had dynamic IPs at home? We prevent a lot of RDP login attempts by only allowing 3389 through our VPN tunnels.
You'd have to open something, but not necessarily 3389.
A VPN also has to have a port open. So that particular risk remains the same with either approach.
If you're saying you have to open a port to allow VPN to function, and that is the same risk as opening a port for RDP, then I agree with you.
-
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
-
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
RDP uses the same tech as most VPNs. It's extremely safe as a protocol. It's the assumed ties to AD that make it risky.
We connect with VPN to the Gateway Appliance, then RDP to the LAN desktop. You can't do #2 until you've done #1.
So, we have an added layer of protection by preventing access to AD until after you VPN to the appliance.Good discussion here....
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
-
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
At first glance, that's the best one yet.
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
That is horrible by default
-
@JaredBusch said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@JasGot said in Looking for solutions to allow remote users access to their internal psychical computers:
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
@scottalanmiller said in Looking for solutions to allow remote users access to their internal psychical computers:
@dave247 said in Looking for solutions to allow remote users access to their internal psychical computers:
I wanted to figure out a solution for allowing the users to login to their company issued laptops and then click one or twice and get to their remote desktops as easily and as efficiently as possible.
You CAN make all or most of the credentials between that laptop and the resulting device be cached or saved. So that it is a really quick and painless process.
True but if a user's password expires or they change it, they may get themselves locked out. We try not to encourage saving passwords too much.
For security reasons, we avoid expiring passwords. That's what makes users write them down and make them easy to guess. Non-expiring, or rarely expiring passwords, are shown to be far more secure and make things like this much easier.
yeah I know its a balance. We have had a few trade offs between password length and expiration time
NIST guidelines were updated in 2017. They mostly follow XKCD.
I've been using this infographic for years! I love it.
Have you seen this: http://correcthorsebatterystaple.net/
Yes, but I like https://xkpasswd.net/s/ more.
That is horrible by default
++74Why/do|YOU/say|ThAt|*11^
-
@JaredBusch Yeah, you do have to click the XKCD button, and the site looks like I threw it up.
-
@Grey said in Looking for solutions to allow remote users access to their internal psychical computers:
Yes, but I like https://xkpasswd.net/s/ more.
Thank you! I have a new favorite toy to play with!
-
@stacksofplates It's probably that @JaredBusch didn't see the section for presets. It's cool. Two out of three IT Pros liked it, and @JaredBusch is a Negative Nancy for many other things, so no surprise that he hated it.
-
I use Bitwarden's generator and just save my passwords. I dont really care about readability
-
@IRJ said in Looking for solutions to allow remote users access to their internal psychical computers:
I use Bitwarden's generator and just save my passwords. I dont really care about readability
I do care about readability because I frequently find myself at company devices that don't have my password manager installed, so I end up typing it off my phone. That said - LP can make readable passwords.
-
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@IRJ said in Looking for solutions to allow remote users access to their internal psychical computers:
I use Bitwarden's generator and just save my passwords. I dont really care about readability
I do care about readability because I frequently find myself at company devices that don't have my password manager installed, so I end up typing it off my phone. That said - LP can make readable passwords.
This is only an issue if you are accessing device physically.
-
@IRJ said in Looking for solutions to allow remote users access to their internal psychical computers:
@Dashrender said in Looking for solutions to allow remote users access to their internal psychical computers:
@IRJ said in Looking for solutions to allow remote users access to their internal psychical computers:
I use Bitwarden's generator and just save my passwords. I dont really care about readability
I do care about readability because I frequently find myself at company devices that don't have my password manager installed, so I end up typing it off my phone. That said - LP can make readable passwords.
This is only an issue if you are accessing device physically.
True - which I do when I'm wondering around our clinical space fixing stupid.
Luckily, very little of that right now.
-
@IRJ said in Looking for solutions to allow remote users access to their internal psychical computers:
I use Bitwarden's generator and just save my passwords. I dont really care about readability
Same here. I have it on my phones, my browsers and they even have a cli tool (I haven't used it though).
-
I used ZeroTier and RDP (without the flow rules) worked fine. If you have AD then yes you have more work to do! I never properly got it working with RDP+AD.
-
ZeroTier (with Flow rules) + RDP is how I solved this for my clients.
Can you make a guide I'd be interested in that read.