RDP only allowed on domain

Discussion in 'Networking & Security' started by mkrohn, Jul 30, 2018.

  1. mkrohn

    mkrohn 2[H]4U

    Messages:
    2,258
    Joined:
    Apr 30, 2012
    I work remotely 100% of the time. The company laptop is shit and has TM and a bunch of nanny trash on it. I use one of my machines and just RDP into the work machine when I actually have to. I have to VPN into work on both machines just to RDP into the work laptop in the same room as me.

    Here is the windows firewall list. You can see where I tried to add RDP with full access but it isn't working.


    upload_2018-7-30_16-54-50.png

    I was looking around gpedit but couldn't find where this is set... Anybody have some suggestions? I am local admin but not network admin.
     
  2. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,546
    Joined:
    May 14, 2008
    So what you are saying is you want a way to remote from your personal system into your work system? Yeah...that is a great idea...

    I would believe this is being blocked by the work perimeter defense not allowing RDP protocol from outside it's network.
     
    scobar and IdiotInCharge like this.
  3. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    6,372
    Joined:
    Jun 13, 2003
    If I were allowed to RDP from home, I'd expect this is how I'd do it.

    Not that I can VPN in to work with a non-corporate machine.

    [I get your angst, but asking for a fix is likely going to involve convincing IT and management that 'you're the exception' :D ]
     
  4. mkrohn

    mkrohn 2[H]4U

    Messages:
    2,258
    Joined:
    Apr 30, 2012
    And my present RDP my personal laptop into the network to loop back to my network and into the company laptop is somehow better?
     
  5. IdiotInCharge

    IdiotInCharge Not the Idiot YOU are Looking for

    Messages:
    6,372
    Joined:
    Jun 13, 2003
    To add: from a corporate security standpoint, absolutely yes.
     
  6. mkrohn

    mkrohn 2[H]4U

    Messages:
    2,258
    Joined:
    Apr 30, 2012
    Nothing to locally override this group policy?
     
  7. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,275
    Joined:
    Oct 4, 2007
    Domain GPOs override local GPOs anyway. You're wasting your time for something that puts yourself at risk of disciplinary action from your organization.

    From a corporate security standpoint it makes perfect sense to only allow trusted networks to RDP into corporate assets. When you VPN into your corp network your packet flows are probably being filtered and inspected, which allows future audits in the event of a compromise or improper machine use and reduces the risk of data exfiltration and asset compromise.

    By your logic, what would stop someone from breaking into your work laptop from a hypothetically compromised home network? By requiring the source traffic to come from the corp VPN the attacker would have to break through your corp network first to achieve this.
     
    Last edited: Jul 31, 2018
  8. FlawleZ

    FlawleZ Gawd

    Messages:
    538
    Joined:
    Oct 20, 2010
    Wait, you're able to connect to your work VPN on your personal system? That's already disappointing to hear.
     
  9. mkrohn

    mkrohn 2[H]4U

    Messages:
    2,258
    Joined:
    Apr 30, 2012
    yep... Even RDP to servers from home. Since the laptop is crap, next time i"m in the office I'm going to park the system in a spot I can leave it forever. The only times I use it is when I need to code something that is only on the internal network which is a shrinking number of things. I mostly do web UI stuff which I can usually fully test either in the cloud or my own home servers.

    I've only been in the office once this year :) No clue when the next run in will be. Its only about 40 minutes away.
     
    ZeqOBpf6 likes this.
  10. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,949
    Joined:
    Nov 16, 2009
    So talk to security/IT at that company and ask how you should do this while still following company policies. They should either have a system in place for this purpose, or a policy against it. Don't try and set this up yourself. You're a dev and shouldn't be configuring this yourself without consulting them. Do you want breaches? Because this is how you get breaches.....
     
  11. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,546
    Joined:
    May 14, 2008
    It seems they already have a breach going on, but he is annoyed that he cannot widen the breach further for his convenience.
     
    FNtastic likes this.
  12. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,275
    Joined:
    Oct 4, 2007
    This is doable if it's a very restricted VPN. A clientless SSLVPN HTTPS portal that permits only RDP isn't completely terrible. You can also implement MFA through the portal.
     
  13. NoOther

    NoOther [H]ardness Supreme

    Messages:
    6,546
    Joined:
    May 14, 2008
    RDP still allows a lot of potential vulnerabilities through, especially when ou are connecting a potentially unsafe computer to a company network. On top of that, they are connecting from their wildcard system to company servers. So you are opening up that vulnerability straight to the servers... That isn't a particularly good policy.

    But there could be a number of other things involved here, without knowing specifics and a net overview of how he is actually connecting and what he is connecting to, it is kind of moot. Perhaps he is only connecting to a dmz'd, VPC'd, or otherwise separated dev environment that does not connect or interact with production or the official company network. In that case, it's not as big of a deal, although still not necessarily great security planning.

    In any case, the problem to me still seems likely a perimeter control that is blocking what he wants to do rather than a GPO specifically.
     
  14. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,949
    Joined:
    Nov 16, 2009
    Which is not something an end users/developer should be setting up outside of the companies it/security teams..... If one of the devs at my place somehow managed to bypass the security controls in place and got this setup enabled, they would most likely be fired for violating company policies.
     
  15. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,275
    Joined:
    Oct 4, 2007
    Well, correct - I wasn't saying the OP could do that, I was just addressing that RDP from a non corporate asset is doable by that type of method. It's not the most ideal situation, but it works and is secure enough for some organizations and it would have to be setup and configured by the security/IT team.
     
  16. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,275
    Joined:
    Oct 4, 2007
    The way I took it is the OP uses a corporate VPN to allow a personal device to RDP into a work asset as a jump box to then RDP from said jump box into servers and other infrastructure.

    The OP is just jumping through hoops rather than addressing the root of the issue - productivity on their work laptop. I wouldn't expect their IT team to do anything special to make it more convenient for you to not use a company issued laptop.
     
  17. FlawleZ

    FlawleZ Gawd

    Messages:
    538
    Joined:
    Oct 20, 2010
    The simple fact a personal, non-secured and monitored device is allowed to successfully connect to the company's VPN network is not a good security practice regardless of which services are expected to be used or not.
     
    mrwizardno2 likes this.
  18. Dead Parrot

    Dead Parrot [H]ard|Gawd

    Messages:
    1,773
    Joined:
    Mar 4, 2013
    Ask if you can purchase a firewall device that will establish a VPN to the corporate firewall. If they will allow that, then have rules setup that let you get to whatever tools you need inside. Better to get IT-Security's blessing then be the fall guy when a breech happens.
     
  19. Biznatch

    Biznatch [H]ard|Gawd

    Messages:
    1,949
    Joined:
    Nov 16, 2009
    That would connect the company network to his network, including any device attached to that firewall. That's moving in the wrong direction here. They need to allow an exception for him to use his personal device, provided all company approved software is installed (virus/malware scanner etc.) and updated. Then use the company VPN software on that device, with MFA enabled. Also split tunneling should be disabled so his machine can't be used as a proxy/jump box by malicious users if his machine is infected.
     
  20. FlawleZ

    FlawleZ Gawd

    Messages:
    538
    Joined:
    Oct 20, 2010
    Thats assuming they would provide and extend company licensing and support for personal equipment at the businesses' expense. That's not only unnecessary expense but just another liability.