Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Access Policies

Posted by samzenpus on from the write-it-down-from-home dept.

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

4 of 178 comments (clear)

  1. Don't use 'user' policies - use 'system' policies by vawarayer · · Score: 5, Interesting

    I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.

    • Set up firewall rules that would let them connect only to your mail server, or whatever they need remotely.
    • Make them connect to a terminal server with a very restrictive set of privileges and access to the network.
    • Close unnecessary remote ports so they can't do stuff you wouldn't expect, or infect your network with worms.
    • LOG ! LOG ! LOG ! I find everything should be logged! Especially traffic going in/out the local network. Have a good log retention policy.
    • ENFORCE strong passwords and change 'em when you feel fit.
    • This list could go on...

    The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.

    Maybe both signing an agreement AND enforcing policies is the best way to go.

  2. Re:Use Laptops by afidel · · Score: 5, Interesting

    I took a different approach, we use Citrix for remote access. We have the Java client installed and have a link to the zero touch client which doesn't need to be installed to run. That way you can get in from all but the most severely locked down internet kiosks. There's no risk to the corporate network and it enables my user to be productive from anywhere. It's also WAY faster than a VPN for most types of work.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  3. Re:One policy: don't make it necessary by Achromatic1978 · · Score: 5, Interesting
    Funny, you talk about being enlightened enough not to use Microsoft. I used to work there, and their VPN set up was easily one of the nicest I'd ever seen.

    Smartcards and native connection stuff in Windows. Once connected you were "quarantined" until a security scan had been run on your machine, and even then you had different access based on location.

    But of course, this is Slashdot...

  4. Re:Too long by geekmux · · Score: 5, Interesting

    Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

    Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

    If you want real security, then clearly explain the issues.

    Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

    People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

    Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

    I thought so.

    'Nuff said.