none
Security For BYOD RDP?

    Question

  • We would like users to be able remotely access their desktop PC from their personal laptops over a VPN connection, but we need them to have no access other than viewing the screen and remote controlling it.  No file transfer or drive redirection, no printer redirection and no other way to transmit malware over the network if their personal laptop is infected.

    Since these would be personal laptops we do not manage and are not joined to our domain, they would not recognize any group policies we apply. The restrictions would need to be enforced from their desktop PC, not their personal laptop.  They connect directly to their desktop PC over VPN and then RDP.   There is no terminal server used.

    Also is there any way to prevent copy and paste, drive redirection and printer redirection over RDP from a domain computer to non-domain computers, but allow it between two domain-joined computers?

    Saturday, February 01, 2014 5:49 AM

Answers

  • Hi,

    if you use Remote Desktop Gateway (http://technet.microsoft.com/en-us/library/dd560672(v=WS.10).aspx ; http://technet.microsoft.com/en-us/library/dd983941(v=WS.10).aspx) you do not need a VPN connection. On the gateway you can also disable the clipboard for RDP, but from internal clipboard would be still allowed (unless you disable it for all workstations over GPO).

    Regards,

    Lutz

    • Marked as answer by MyGposts Tuesday, February 04, 2014 3:31 AM
    Saturday, February 01, 2014 10:50 PM
  • On Mon, 3 Feb 2014 20:37:33 +0000, MyGposts wrote:

    Is there something else I'm missing that makes the risk of malware transmittal no lower when using a RD Gateway to reach a workstation from outside than when using VPN with a direct connection to reach a workstation?

    I am not an expert in RD and I've never done a real threat assessment or
    threat modeling for  an RD gateway versus VPN solution. My suggestion would
    be to post your RD questions to the RD forum I pointed you to previously.

    I'd like to be able to provide you with a definitive answer here but
    unfortunately I cannot.


    Paul Adare - FIM CM MVP
    Like the autumn leaves
    wu-FTPD updates;
    I seek warm safety. -- Anthony de Boer

    • Marked as answer by MyGposts Monday, February 03, 2014 10:39 PM
    Monday, February 03, 2014 10:02 PM

All replies

  • Hi,

    if you use Remote Desktop Gateway (http://technet.microsoft.com/en-us/library/dd560672(v=WS.10).aspx ; http://technet.microsoft.com/en-us/library/dd983941(v=WS.10).aspx) you do not need a VPN connection. On the gateway you can also disable the clipboard for RDP, but from internal clipboard would be still allowed (unless you disable it for all workstations over GPO).

    Regards,

    Lutz

    • Marked as answer by MyGposts Tuesday, February 04, 2014 3:31 AM
    Saturday, February 01, 2014 10:50 PM
  • That looks interesting since it would save us from having to install our VPN client on their personal PCs.  However, we already have VPN set up and we would have to set up a server or two to be the Remote Desktop Gateway.  Also, wouldn't this server need terminal services CALs for every user who would use it?

    (We do not want the users to run any apps or have profiles on the RDG server.  We only would want to use the RDG as a pass-through to remotely access their physical PCs at their desk.)

    The other issue I see with this is that most Remote Desktop clients have an option to save credentials and so, if the user had their unencrypted personal laptop stolen, whoever has the laptop would have access to log in to our network via RDP since the password would be saved on the device.  For convenience/laziness users like to click on "remember password" options whenever they can.  When we use VPN, the user must use a PIN plus RSA token number on a fob to connect and this must be manually entered at every login.

    Is there any way to require the user to have more than just a saved user name and password to connect through the RDG?  For instance can it be set to use RSA SecurID token and PIN just like we do for our VPN client or else is there some other way to not allow them on the network with only pre-saved credentials?



    • Edited by MyGposts Sunday, February 02, 2014 6:53 PM
    Sunday, February 02, 2014 6:48 PM
  • all users need a cal


    Corsair Carbide 300R with window
    Corsair TX850V2 70A@12V
    Asus M5A99FX PRO R2.0 CFX/SLI
    AMD Phenom II 965 C3 Black Edition @ 4.0 GHz
    G.SKILL RipjawsX DDR3-2133 8 GB
    EVGA GTX 6600 Ti FTW Signature 2(Gk104 Kepler)
    Asus PA238QR IPS LED HDMI DP 1080p
    ST2000DM001 & Windows 8.1 Enterprise x64
    Microsoft Wireless Desktop 2000
    Wacom Bamboo CHT470M
    Place your rig specifics into your signature like I have, makes it 100x easier to understand!

    Hardcore Games Legendary is the Only Way to Play!

    More CALs going through a RDG server they would need directly connecting to their desktop through VPN?
    Sunday, February 02, 2014 7:04 PM
  • Is the number of CALS based on the number of simultaneous connections allowed on the server?
    Sunday, February 02, 2014 7:28 PM
  • On Sun, 2 Feb 2014 19:28:31 +0000, MyGposts wrote:

    Is the number of CALS based on the number of simultaneous connections allowed on the server?

    Ignore the replies from Vegan Fanatic, he's talking about Windows Server
    CALs (which you need but you've likely already got them) while you're
    obviously asking about RD CALs.

    I can't manage to get the exact link on the Microsoft download site but if
    you Google for this search term it should be the first link:

    Server 2012 RD license brief site:download.microsoft.com


    Paul Adare - FIM CM MVP
    The problem with the gene pool is that there is no lifeguard. -- BSD
    fortune
    Nah, the problem is that it doesn't have enough chlorine. -- Lionel in ASR
    It also lacks an undertow for the weak ones. -- Joe Creighton in ASR

    Sunday, February 02, 2014 8:56 PM
  • OK, thanks for info about CALs.

    I'd like to get back to security related questions.

    Would there be any risk to the Remote Desktop Gateway server or the internal network if someone used a malware-infected home PC to connect to the RDG server?

    Is there any way to prevent users from logging to RDS using only saved credentials that can be used by anyone if their home PC or laptop, iPad or Android tablet used for RDS connections is stolen?  

    Most people have no encryption on their personal devices, so any laptop thief will be able to crack the Windows password with easily available Windows password reset tools and then log in and access the RDS site (likely bookmarked in IE) and then log into the work network using the saved "remembered" credentials.

    Monday, February 03, 2014 5:59 PM
  • On Mon, 3 Feb 2014 17:59:06 +0000, MyGposts wrote:

    Would there be any risk to the Remote Desktop Gateway server or the internal network if someone used a malware-infected home PC to connect to the RDG server?

    Potentially yes, but no more so than when connecting via a VPN.


    Is there any way to prevent users from logging to RDS using only saved credentials that can be used by anyone if their home PC or laptop, iPad or Android tablet used for RDS connections is stolen?  

    Most people have no encryption on their personal devices, so any laptop thief will be able to crack the Windows password with easily available Windows password reset tools and then log in and access the RDS site (likely bookmarked in IE) and then log into the work network using the saved "remembered" credentials.

    Out of the box RD Gateway in 2012 and 2012 R2 support smart card logon so
    that would mitigate somewhat. It also supports pluggable authentication
    methods so that you could potentially use other methods for 2FA or MFA.

    The security risks in using an RD Gateway really aren't any greater than
    using a VPN. What an RD Gateway allows you that I'm not sure can be
    achieved with a VPN solution is one set of access policies for those
    external to your network and a different set for those on your internal
    network.

    RDS specific questions would be better posted here:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS


    Paul Adare - FIM CM MVP
    When in doubt, use brute force. -- Ken Thompson

    Monday, February 03, 2014 6:53 PM
  • On Mon, 3 Feb 2014 17:59:06 +0000, MyGposts wrote:

    Would there be any risk to the Remote Desktop Gateway server or the internal network if someone used a malware-infected home PC to connect to the RDG server?

    Potentially yes, but no more so than when connecting via a VPN.


    Is there any way to prevent users from logging to RDS using only saved credentials that can be used by anyone if their home PC or laptop, iPad or Android tablet used for RDS connections is stolen?  

    Most people have no encryption on their personal devices, so any laptop thief will be able to crack the Windows password with easily available Windows password reset tools and then log in and access the RDS site (likely bookmarked in IE) and then log into the work network using the saved "remembered" credentials.

    Out of the box RD Gateway in 2012 and 2012 R2 support smart card logon so
    that would mitigate somewhat. It also supports pluggable authentication
    methods so that you could potentially use other methods for 2FA or MFA.

    The security risks in using an RD Gateway really aren't any greater than
    using a VPN. What an RD Gateway allows you that I'm not sure can be
    achieved with a VPN solution is one set of access policies for those
    external to your network and a different set for those on your internal
    network.

    RDS specific questions would be better posted here:

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS


    Paul Adare - FIM CM MVP
    When in doubt, use brute force. -- Ken Thompson

    I was looking for something that has a smaller security risk for malware transmission than RDP over VPN.  If it is only "not any greater," rather than actually "better and safer," then that seems like makes it a waste of time and money for us to implement RD Gateway.  We could just let users connect with a VPN client directly to their desktop as they are used to doing.

    It seems like it "should be" safer since it seems more difficult to transmit malware from an infected PC over a RDG connection than through VPN which may have other ports open plus users may be able to connect to network shares and mount drives through the Remote Desktop MSTSC.exe application and that should not be available when using RD Gateway. 

    Is there something else I'm missing that makes the risk of malware transmittal and data loss no lower when using a RD Gateway to reach a workstation from outside than when using VPN with a direct connection to reach a workstation?


    • Edited by MyGposts Monday, February 03, 2014 8:38 PM
    Monday, February 03, 2014 8:37 PM
  • On Mon, 3 Feb 2014 21:20:23 +0000, Vegan Fanatic [MVP] wrote:

    Microsoft Forefront Security is the corporate choice for larger shops

    Useful for BYOD operations

    Once again a totally irrelevant and useless response.


    Paul Adare - FIM CM MVP
    Arnold Schwarzenegger virus : Terminates and stays resident. It'll be back.

    Monday, February 03, 2014 9:25 PM
  • On Mon, 3 Feb 2014 21:48:05 +0000, Vegan Fanatic [MVP] wrote:

    what is wrong with Forefront?

    If you'd actually read the thread, no one is looking for any
    recommendations on security software.


    Paul Adare - FIM CM MVP
    Things should be as simple as possible, but not simpler. -- Albert Einstein

    Monday, February 03, 2014 9:59 PM
  • On Mon, 3 Feb 2014 20:37:33 +0000, MyGposts wrote:

    Is there something else I'm missing that makes the risk of malware transmittal no lower when using a RD Gateway to reach a workstation from outside than when using VPN with a direct connection to reach a workstation?

    I am not an expert in RD and I've never done a real threat assessment or
    threat modeling for  an RD gateway versus VPN solution. My suggestion would
    be to post your RD questions to the RD forum I pointed you to previously.

    I'd like to be able to provide you with a definitive answer here but
    unfortunately I cannot.


    Paul Adare - FIM CM MVP
    Like the autumn leaves
    wu-FTPD updates;
    I seek warm safety. -- Anthony de Boer

    • Marked as answer by MyGposts Monday, February 03, 2014 10:39 PM
    Monday, February 03, 2014 10:02 PM
  • On Mon, 3 Feb 2014 22:02:10 +0000, Vegan Fanatic [MVP] wrote:

    maybe you should clean your glasses:



    He wrote:

    I was looking for something that has a smaller security risk for malware transmission than RDP over VPN.  If it is only "not any greater," rather than actually "better and safer," then that seems like makes it a waste of time and money for us to implement RD Gateway.  We could just let users connect with a VPN client directly to their desktop as they are used to doing.

    Maybe you should quit while you're ahead. Forefront Security helps to
    prevent malware from infecting a system, it in no way at all reduces or
    prevents it from being transmitted across an RD Gateway or a VPN.

    This is all about threat assessment and modeling, it has nothing at all to
    do with providing specific protection.


    Paul Adare - FIM CM MVP
    "The Computer made me do it." -- BSD fortune file

    Monday, February 03, 2014 10:09 PM
  • On Mon, 3 Feb 2014 22:23:20 +0000, Vegan Fanatic [MVP] wrote:

    most connect to HQ with a Wi-Fi box, these can be used to create a VPN to the company. Then any machine connected through that box is connected to the corporate network.

    That means lots of prospect for malware.

    You clearly don't understand what is being discussed here. Please give it a
    rest, all you're doing here is prolonging the thread and confusing the real
    issue.


    Paul Adare - FIM CM MVP
    "Having to infer what Unix is solely from a copy of the GNU Manifesto
    is not really an exercise you want to undertake." -- AdB

    Monday, February 03, 2014 10:25 PM
  • On Mon, 3 Feb 2014 20:37:33 +0000, MyGposts wrote:

    Is there something else I'm missing that makes the risk of malware transmittal no lower when using a RD Gateway to reach a workstation from outside than when using VPN with a direct connection to reach a workstation?

    I am not an expert in RD and I've never done a real threat assessment or
    threat modeling for  an RD gateway versus VPN solution. My suggestion would
    be to post your RD questions to the RD forum I pointed you to previously.

    I'd like to be able to provide you with a definitive answer here but
    unfortunately I cannot.


    Paul Adare - FIM CM MVP
    Like the autumn leaves
    wu-FTPD updates;
    I seek warm safety. -- Anthony de Boer


    OK, since the suggestion is to use Remote Desktop Gateway as the best alternative to RDP over VPN, I will ask further questions about RD Gateway in that forum.
    Monday, February 03, 2014 10:38 PM
  • On Mon, 3 Feb 2014 22:38:54 +0000, Vegan Fanatic [MVP] wrote:

    The topic is security

    Wow, just wow.


    Paul Adare - FIM CM MVP
    COBOL is for morons. -- Dijkstra

    Monday, February 03, 2014 10:40 PM
  • On Mon, 3 Feb 2014 22:38:56 +0000, MyGposts wrote:

    OK, since the suggestion is to use Remote Desktop Gateway as the best alternative to RDP over VPN, I will ask further questions about RD Gateway in that forum.

    Using an RD Gateway does answer your question about drive redirection etc.
    at least.


    Paul Adare - FIM CM MVP
    Q. what do you get whan you cross a tsetse with a mountain climber?
    A. nothing, you can't cross a vector with a scalar.

    Monday, February 03, 2014 10:41 PM