Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4974 posts

Uber Geek
+1 received by user: 105

Trusted

Topic # 204695 13-Oct-2016 11:44
Send private message

In one place where I worked VPN was enabled as follows:

 

- VPN client on the desktop

 

- second factor authentication via cell phone app 

 

Two end-user scenarios

 

1. Work laptop. Connect to VPN, authenticate and start working as if in the office

 

2. Home PC. Connect to VPN, authenticate and then RD to your work machine.

 

That worked okay but for users who did not have a laptop they had to leave their desktops on all the time with power saving mode disabled.

 

To try to make life easier I setup the following environment as a proof of concept.

 

Grabbed a spare PC (new as it happened with Core i7 16 GB 500GB SSD) and put Windows Server 2012R on it and joined to the domain.

 

Enabled Remote Desktop Services role, installed Office and then published the core Office applications (Outlook, Word, Excel, PPT)

 

Then a user could connect to the VPN as per 2, then fire up IE and point to the Remote Desktop Services server URL (obviously not a public one) and work.

 

The VPN software (can't remember which) I think disabled split tunnelling.

 

This seemed like a reasonable robust solution security wise but not being a security expert wouldn't mind some more qualified people to point out any security issues that might exist?

 

Obviously solution 2 means IT doesn't have control over the endpoint but given they are using Remote Desktop Services on a browser with split tunnelling disabled, I would think the risks of unauthorised access are low?

Thanks





System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Samsung 4K player, Google Chromecast

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 


Create new topic

gzt

10305 posts

Uber Geek
+1 received by user: 1582


  Reply # 1650567 13-Oct-2016 16:44
Send private message

Random question. Why use IE? Is it not simpler to use the Windows RDP client? I'm thinking activex is deprecated for a while and ActiveX and security were never happy playmates at the best of times.

448 posts

Ultimate Geek
+1 received by user: 85


  Reply # 1650575 13-Oct-2016 16:59
Send private message

Install the Essentials role and use the built in SSTP VPN and also the easy to manage access anywhere. Port forward 443 to the server. Make sure you have password rotation on.


 
 
 
 




4974 posts

Uber Geek
+1 received by user: 105

Trusted

  Reply # 1650578 13-Oct-2016 17:05
Send private message

gzt: Random question. Why use IE? Is it not simpler to use the Windows RDP client? I'm thinking activex is deprecated for a while and ActiveX and security were never happy playmates at the best of times.

 

 

 

It was a while ago but perhaps it was the RDP client we used. I think you pointed your browser to the server and then it downloaded the client for your environment. 





System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Samsung 4K player, Google Chromecast

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.