RDP only allowed on domain

mkrohn

2[H]4U
Joined
Apr 30, 2012
Messages
2,345
I work remotely 100% of the time. The company laptop is shit and has TM and a bunch of nanny trash on it. I use one of my machines and just RDP into the work machine when I actually have to. I have to VPN into work on both machines just to RDP into the work laptop in the same room as me.

Here is the windows firewall list. You can see where I tried to add RDP with full access but it isn't working.


upload_2018-7-30_16-54-50.png


I was looking around gpedit but couldn't find where this is set... Anybody have some suggestions? I am local admin but not network admin.
 
So what you are saying is you want a way to remote from your personal system into your work system? Yeah...that is a great idea...

I would believe this is being blocked by the work perimeter defense not allowing RDP protocol from outside it's network.
 
If I were allowed to RDP from home, I'd expect this is how I'd do it.

Not that I can VPN in to work with a non-corporate machine.

[I get your angst, but asking for a fix is likely going to involve convincing IT and management that 'you're the exception' :D ]
 
So what you are saying is you want a way to remote from your personal system into your work system? Yeah...that is a great idea...

I would believe this is being blocked by the work perimeter defense not allowing RDP protocol from outside it's network.
And my present RDP my personal laptop into the network to loop back to my network and into the company laptop is somehow better?
 
Domain GPOs override local GPOs anyway. You're wasting your time for something that puts yourself at risk of disciplinary action from your organization.

From a corporate security standpoint it makes perfect sense to only allow trusted networks to RDP into corporate assets. When you VPN into your corp network your packet flows are probably being filtered and inspected, which allows future audits in the event of a compromise or improper machine use and reduces the risk of data exfiltration and asset compromise.

By your logic, what would stop someone from breaking into your work laptop from a hypothetically compromised home network? By requiring the source traffic to come from the corp VPN the attacker would have to break through your corp network first to achieve this.
 
Last edited:
Wait, you're able to connect to your work VPN on your personal system? That's already disappointing to hear.
 
Wait, you're able to connect to your work VPN on your personal system? That's already disappointing to hear.
yep... Even RDP to servers from home. Since the laptop is crap, next time i"m in the office I'm going to park the system in a spot I can leave it forever. The only times I use it is when I need to code something that is only on the internal network which is a shrinking number of things. I mostly do web UI stuff which I can usually fully test either in the cloud or my own home servers.

I've only been in the office once this year :) No clue when the next run in will be. Its only about 40 minutes away.
 
So talk to security/IT at that company and ask how you should do this while still following company policies. They should either have a system in place for this purpose, or a policy against it. Don't try and set this up yourself. You're a dev and shouldn't be configuring this yourself without consulting them. Do you want breaches? Because this is how you get breaches.....
 
So talk to security/IT at that company and ask how you should do this while still following company policies. They should either have a system in place for this purpose, or a policy against it. Don't try and set this up yourself. You're a dev and shouldn't be configuring this yourself without consulting them. Do you want breaches? Because this is how you get breaches.....

It seems they already have a breach going on, but he is annoyed that he cannot widen the breach further for his convenience.
 
Wait, you're able to connect to your work VPN on your personal system? That's already disappointing to hear.

This is doable if it's a very restricted VPN. A clientless SSLVPN HTTPS portal that permits only RDP isn't completely terrible. You can also implement MFA through the portal.
 
This is doable if it's a very restricted VPN. A clientless SSLVPN HTTPS portal that permits only RDP isn't completely terrible. You can also implement MFA through the portal.

RDP still allows a lot of potential vulnerabilities through, especially when ou are connecting a potentially unsafe computer to a company network. On top of that, they are connecting from their wildcard system to company servers. So you are opening up that vulnerability straight to the servers... That isn't a particularly good policy.

But there could be a number of other things involved here, without knowing specifics and a net overview of how he is actually connecting and what he is connecting to, it is kind of moot. Perhaps he is only connecting to a dmz'd, VPC'd, or otherwise separated dev environment that does not connect or interact with production or the official company network. In that case, it's not as big of a deal, although still not necessarily great security planning.

In any case, the problem to me still seems likely a perimeter control that is blocking what he wants to do rather than a GPO specifically.
 
This is doable if it's a very restricted VPN. A clientless SSLVPN HTTPS portal that permits only RDP isn't completely terrible. You can also implement MFA through the portal.

Which is not something an end users/developer should be setting up outside of the companies it/security teams..... If one of the devs at my place somehow managed to bypass the security controls in place and got this setup enabled, they would most likely be fired for violating company policies.
 
Which is not something an end users/developer should be setting up outside of the companies it/security teams..... If one of the devs at my place somehow managed to bypass the security controls in place and got this setup enabled, they would most likely be fired for violating company policies.

Well, correct - I wasn't saying the OP could do that, I was just addressing that RDP from a non corporate asset is doable by that type of method. It's not the most ideal situation, but it works and is secure enough for some organizations and it would have to be setup and configured by the security/IT team.
 
RDP still allows a lot of potential vulnerabilities through, especially when ou are connecting a potentially unsafe computer to a company network. On top of that, they are connecting from their wildcard system to company servers. So you are opening up that vulnerability straight to the servers... That isn't a particularly good policy.

The way I took it is the OP uses a corporate VPN to allow a personal device to RDP into a work asset as a jump box to then RDP from said jump box into servers and other infrastructure.

The OP is just jumping through hoops rather than addressing the root of the issue - productivity on their work laptop. I wouldn't expect their IT team to do anything special to make it more convenient for you to not use a company issued laptop.
 
The simple fact a personal, non-secured and monitored device is allowed to successfully connect to the company's VPN network is not a good security practice regardless of which services are expected to be used or not.
 
Ask if you can purchase a firewall device that will establish a VPN to the corporate firewall. If they will allow that, then have rules setup that let you get to whatever tools you need inside. Better to get IT-Security's blessing then be the fall guy when a breech happens.
 
Ask if you can purchase a firewall device that will establish a VPN to the corporate firewall. If they will allow that, then have rules setup that let you get to whatever tools you need inside. Better to get IT-Security's blessing then be the fall guy when a breech happens.

That would connect the company network to his network, including any device attached to that firewall. That's moving in the wrong direction here. They need to allow an exception for him to use his personal device, provided all company approved software is installed (virus/malware scanner etc.) and updated. Then use the company VPN software on that device, with MFA enabled. Also split tunneling should be disabled so his machine can't be used as a proxy/jump box by malicious users if his machine is infected.
 
That would connect the company network to his network, including any device attached to that firewall. That's moving in the wrong direction here. They need to allow an exception for him to use his personal device, provided all company approved software is installed (virus/malware scanner etc.) and updated. Then use the company VPN software on that device, with MFA enabled. Also split tunneling should be disabled so his machine can't be used as a proxy/jump box by malicious users if his machine is infected.

Thats assuming they would provide and extend company licensing and support for personal equipment at the businesses' expense. That's not only unnecessary expense but just another liability.
 
Back
Top