Best practice to control/block remote desktop software to limit access to network to authorized VPN

dawydiuk
Comes here often

Best practice to control/block remote desktop software to limit access to network to authorized VPN

We provide our employees access to our network via VPN, but have found some users have chosen to use Anydesk, Chrome Remote Desktop, etc which gives them access remotely to our network. My fear is if one of these employees exits the company they may still have access to our network via remote desktop software in spite of us disabling access to our network via their VPN account. What is a best practice to ensure we have control as to who has access to our network in situations like this?

 

 

3 REPLIES 3
Brash
Head in the Cloud

This is best managed with tighter application controls on the windows side. Eg. Preventing user accounts from installing privileged access applications (or applications in general) via GPO and AD security groups. Additionally, some security software can detect and prevent remote control applications from being installed.

alemabrahao
Kind of a big deal

Johnfnadez
Building a reputation

I recommend to block the remote access apps on your MX Firewall and set a single app as default remote access and integrate it with LDAP Authentication. If an employee exists the company only remove the username on your Active Directory and that’s it. We as Network Security Engineer have to enforce policies in our company to keep it safe from the world. I don’t consider a good practice allow any remote access application in your Network because it opens a lot of attack surfaces.

 

For example you can enforce to only permit RDP from Microsoft and authentication with 2FA agains Active Directory.

 

If you consider my answer as solution please mark it as solution 😀

 

Regards!

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels