RE: Remote desktop access policy

["Petter Bruland" <pbruland () fcglv com>]

We have about 10 users here who remote into their desktops via RDC over
VPN.

And we only allow users who have home office computers/laptops owned by
the company, to connect via VPN.
Between the VPN network and the LAN, there's gateway antivirus scanning
& spyware scanning. 

So far this seems to work well, but I'd like to take advantage of
Windows Server 2008's NAC feature when that comes out. As we would gain
even more control of the end client. Like checking for a client
Antivirus app etc.

Hopefully we'll see some of the more l33t admins respond to your post,
with some good info about security in this situation.

-Petter

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of WALI
Sent: Friday, January 18, 2008 5:33 AM
To: security-basics () securityfocus com
Subject: Remote desktop access policy

Hi guys...do you have any remote desktop policy clauses that you can
share?
I am having difficulties in trying to tell people the hazards of
haphazardly asking IT guys the perils of asking access to their desktops
when the come in via VPN.

Everyone wants to have a VPN client and then to a remote desktop session
to their desktop.

How can I tell them the threats of doing so? Are there any threats?
Should I restrict such usage? For one, it makes a lot of economic sense
to switch off PC once a user leaves his/her desk for the day.