Access Restrictions for VPN Access to LANs
-
A VPN that is restricted to RDP is a simple and effective solution.
Nothing that we know of can "worm" through RDP.
-
Second @JaredBusch idea; this is what I am working on right now for a few employees who do not have company provided laptops.
-
What about something like MeshCentral/ConnectWise/LogMeIn instead. This removes their device from your network entirely.
-
@Dashrender said in Access Restrictions for VPN Access to LANs:
What about something like MeshCentral/ConnectWise/LogMeIn instead. This removes their device from your network entirely.
Would it be best to disable drag and drop to those users?
-
@JaredBusch said in Access Restrictions for VPN Access to LANs:
Nothing that we know of can "worm" through RDP.
This is really good to know!
-
@Dashrender said in Access Restrictions for VPN Access to LANs:
What about something like MeshCentral/ConnectWise/LogMeIn instead. This removes their device from your network entirely.
Over complicated when he already has VPN capabilities.
Also none of those solutions are good for remote work. They are great for remote support, but for a "normal workday", hell no.
-
This would probably be too much work to set up in a hurry, but ZT on End Users's personal device, and End Users's Company Machine.
But as @JaredBusch said, if you already have a VPN infrastructure, it'd be easiest to use that.
-
@dafyre said in Access Restrictions for VPN Access to LANs:
This would probably be too much work to set up in a hurry, but ZT on End Users's personal device, and End Users's Company Machine.
But as @JaredBusch said, if you already have a VPN infrastructure, it'd be easiest to use that.
ZT is a good solution but I would need to look at ways to restrict it to port 3389 afterward.
-
@JaredBusch said in Access Restrictions for VPN Access to LANs:
@dafyre said in Access Restrictions for VPN Access to LANs:
This would probably be too much work to set up in a hurry, but ZT on End Users's personal device, and End Users's Company Machine.
But as @JaredBusch said, if you already have a VPN infrastructure, it'd be easiest to use that.
ZT is a good solution but I would need to look at ways to restrict it to port 3389 afterward.
Are you familiar with ZeroTier Flow Rules? I wonder if that's a way to restrict to port 3389?
-
If you can limit a client to just one IP and just tcp 3389 in your firewall that should be enough.
Disable shared drives or the user is able to infect the work pc with files from his home pc.
Typically when we connect with VPN to enterprise networks to do work on certain servers or what not, we get a static ip and then they have firewall rules to determine what IPs / ports we can reach. So yes, the computer we use is on their LAN but only through a very small and restricted opening that just allows RDP to just the one server we need to access. Everything else is blocked.
