Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Access Policies

Posted by samzenpus on from the write-it-down-from-home dept.

Samalie writes "My company is considering implementing a formal remote access policy (and agreement for staff to sign) for users who access our network from home via VPN. Does anyone out there have any suggestions as to what this policy/agreement should contain? Anyone have their own corporate policy that I can borrow from? This is the first time I've come across anyone wanting a formal policy for this & online searches haven't been very helpful."

10 of 178 comments (clear)

  1. SANS Templates by Wanker · · Score: 5, Informative

    The templates provided by SANS are a good place to start:

    All of them are here:

    http://www.sans.org/resources/policies/

    Here's the remote access policy example:

    http://www.sans.org/resources/policies/Remote_Access_Policy.pdf [PDF]

  2. Use Laptops by George+Beech · · Score: 5, Informative

    We require all users with remote access to use corporate laptops that are locked down. You cannot connect your personal computer via vpn. Also there is the standard "treat it as if you were sitting at your desk, all rules regulations etc. still apply."

    1. Re:Use Laptops by Anonymous Coward · · Score: 5, Funny

      I second this. As an employee, I don't want to pollute my personal computer with work related stuff. It takes away valuable pr0n storage space.

    2. Re:Use Laptops by afidel · · Score: 5, Interesting

      I took a different approach, we use Citrix for remote access. We have the Java client installed and have a link to the zero touch client which doesn't need to be installed to run. That way you can get in from all but the most severely locked down internet kiosks. There's no risk to the corporate network and it enables my user to be productive from anywhere. It's also WAY faster than a VPN for most types of work.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  3. Too long by EmbeddedJanitor · · Score: 5, Insightful
    There are two purposes for such documents:
    Inform: part from the little "purpose" bit, the SANS does not do much.
    (2) A legal rope to hang a user with. What most of the SANS doc is.

    Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

    Real security comes from informing the user, not from baffling and swamping them with techno-legal bs.

    If you want real security, then clearly explain the issues.

    --
    Engineering is the art of compromise.
    1. Re:Too long by geekmux · · Score: 5, Interesting

      Folks, nobody reads a document like this. They will lose interest after the first few lines then either skip to the signing bit or throw it away.

      Why is it when we ask people to read through a 2-page user policy, they skip through and don't even bother reading to just sign it, yet those same people will sit down and pour through 3 inches of legal documents for 4 hours when buying a home?

      If you want real security, then clearly explain the issues.

      Bullshit. If you want real Security, enforce the punishment. Yes, it's that simple, and is also the answer to my previous question.

      People read through 3 inches of legal docs when buying a home because they know damn well they could get burned legally.

      Name the last time someone you know got fired for breaking a Security policy, or losing a laptop and not following protocol properly to report the company confidential data loss.

      I thought so.

      'Nuff said.

  4. Don't use 'user' policies - use 'system' policies by vawarayer · · Score: 5, Interesting

    I find that whatever the user signs, it always gets broken one time or another. That is why I use - whenever possible - system policies instead of making them sign anything. If they can't do what you don't want them to do, it ought to be more reliable.

    • Set up firewall rules that would let them connect only to your mail server, or whatever they need remotely.
    • Make them connect to a terminal server with a very restrictive set of privileges and access to the network.
    • Close unnecessary remote ports so they can't do stuff you wouldn't expect, or infect your network with worms.
    • LOG ! LOG ! LOG ! I find everything should be logged! Especially traffic going in/out the local network. Have a good log retention policy.
    • ENFORCE strong passwords and change 'em when you feel fit.
    • This list could go on...

    The main idea is: restrict their remote access to what they really need. Some purist will reply 'oh yeah, but even if you do that, there's a way around for such and such reason.' or that it will become too restrictive. My answer: adapt to your user needs without letting it be the Wild Wild West.

    Maybe both signing an agreement AND enforcing policies is the best way to go.

  5. Re:Very first (non-sponsored) hit on Google! by Anonymous Coward · · Score: 5, Funny

    most of the last few Ask Slashdot articles seem to be written by people who can't be bothered to do a little work.

    That's why I got into computers.

  6. Re:Is this real? by s-twig · · Score: 5, Insightful

    Did he even know SANS existed? You could be bothered to post a wry comment but couldn't muster the extra key strokes to make yourself helpful. C'mon be nice. :)

  7. Re:One policy: don't make it necessary by Achromatic1978 · · Score: 5, Interesting
    Funny, you talk about being enlightened enough not to use Microsoft. I used to work there, and their VPN set up was easily one of the nicest I'd ever seen.

    Smartcards and native connection stuff in Windows. Once connected you were "quarantined" until a security scan had been run on your machine, and even then you had different access based on location.

    But of course, this is Slashdot...