Main Policy Content
- Justification for Remote Desktop
- Rationale for Limiting Remote Desktop
- Cross References
The purpose of this guideline is to define the requirements, restrictions and authorization process for approving and enabling remote desktop (RD) access to a University Libraries workstation from an offsite workstation.
Remote Desktop (RD): Software or operating system feature that allows a computer workstation to be run from an offsite workstation.
Endpoint: University Libraries (UL) computer workstation located on the UL network
Port: the channel on which network traffic communicates
Workstation: Includes desktops, laptops, iPads, mobile devices and other computing machines.
Offsite Workstation: the workstation used to remotely connect to University Libraries workstations.
Remote desktop access to University Libraries workstations must be requested in writing by the individual’s supervisor. I-Tech will review the rationale for the request to determine if remote access is warranted or if access by other means would better suit the needs.
RATIONALE FOR LIMITING REMOTE DESKTOP
- RD access requires system and firewall changes to the endpoint, creating an exposure point
- RD access requires firewall changes to the hardware firewall protecting the UL network
- RD access requires Active Directory Group Policy changes (Windows OS) for the endpoint
- Any RD application creates an exposure point to the endpoint. Note: PSU restricted the standard Microsoft RD port because of a global risk, requiring that an alternate port be used.
- RD access exposes UL workstations to outside network communication to an offsite workstation, which may have vulnerabilities
If any of the following requirements cannot be met, Remote Desktop Access will not be authorized.
Offsite Workstation Requirements to connect:
- Offsite workstation must be up to date with system updates/patches
- Offsite workstation must be running an up to date Antivirus Application, including regular virus scans
- Penn State’s Cisco VPN Concentrator must be installed and have a stable connection to the LIAS-VPN (Windows OS). Mac systems can either have the VPN client installed or a manual configuration to connect to LIAS-VPN.
UL Endpoint Requirements:
- Client connection encryption level must be set to highest available setting
- “Always prompt for password” must be enabled (if available). No caching of credentials
- Specific security layer for RDP must be enabled (Windows OS)
- Alternate, non-standard port must be configured
- Local firewall must be opened to that alternate port
- RD access is restricted to an individual rather than open to all or to a department
- Sensitive data should not be transferred between the offsite workstation and the endpoint
- If a breach or misuse is discovered, RD access will be removed immediately
- Precautions should be taken to prevent unauthorized access to endpoint from offsite workstation (i.e. locking of workstation, password confidentiality, etc.)
AD95 - Information Assurance and IT Security
AD96 - Acceptable Use of University Informaton Resources
UL-IT02 – University Libraries Staff Information Technology Use Policies
UL-IT03 – Workstation Policy and Procedural Guidelines for Libraries’ Employees
Effective Date: June 2013
Date Approved: June 2013 (Dean's Library Council)
Revision History (and effective dates):
- June 2013 - New guideline
Last Review Date: June 2013