Mike Mayfield over at Pleasant Valley Baptist Church IT  (“pvcbit”) posted a question about VPN remote access permissions . I wrote a blog post in March with a little bit of information on this relating to the Microsoft ISA 2004 firewal l, but we’re actually using a combination of services for remote access right now (I mentioned LogMeIn on my prior post as well). Here is another quick look at what we’re currently doing for VPN.
Basically, because we have ISA, I can limit what particular user groups are able to do over their VPN connection, just like any other firewall rules. Very few people get file server access at all (actually, me and one guy who connects from his church laptop) over VPN. The rest are limited to Exchange server connectivity or Remote Desktop primarily, although now that we have RPC over HTTPS in place, it’s much simpler than VPN for the user and so that’s used almost exclusively for remote Outlook access now, and is as much as most people need (if they have a laptop they have an offline copy of most of their files anyway).
For those that still require remote access to their desktop at work (especially if they don’t have a church-owned laptop), I’ve been moving from VPN with Remote Desktop access (complicated to train someone to use since the connection is separate from the RDP client) to LogMeIn.com for remote access. There’s a free version and a Pro version, with remote printing and file transfer being the main additional features of Pro. The main benefit? It’s easy and just requires a web browser, it’s fast, and not very expensive (with the special we got anyway, or the free version is of course free!). I have run into an issue with a new remote user that hasn’t gotten LogMeIn to work on their own but I haven’t had a chance to troubleshoot this yet (I’m sure it relates to the steps to get the ActiveX or Firefox plugin installed for LogMeIn initially).
We have a Terminal Services server with a handful of user licenses that we use for some volunteers that need remote access from their home computer but don’t have a dedicated desktop at work. I haven’t attempted LogMeIn through Terminal Services, but I assume it wouldn’t work properly with the multiple sessions that make Terminal Services useful, and would only allow access to the console session. For this, we still use CMAK  along with an auto-running tutorial created with Wink  that walks users through installing the CMAK  connectoid, I’ve included a Remote Desktop settings file that automatically runs upon connection, automatically opening and connecting to the Terminal Server inside the VPN once it’s connected. When Remote Desktop is closed, the connectoid logs off the VPN. The integration of VPN and Remote Desktop isn’t perfect, but it’s a lot easier this way (most of the time) than trying to get people to understand connecting to the VPN first, then connecting with Remote Desktop manually, and disconnecting in reverse. The more automated the better! These VPN connections are of course limited through ISA to be allowed to connect only to the Terminal Server, and only through the RDP protocol.
One thing’s for sure: when allowing an unmanaged computer on the network, especially as unsupervised as a remote connection is, it pays from a security standpoint to keep the leash as tight as possible! And it’s the unintentional risks (spyware, viruses, etc.) more often than malicious users that cause a problem. The best part is, protecting from one helps to protect from the other (in general).