+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26
How do you do....it? Thread, Access from home in Technical; Originally Posted by jamesfed Bearing in mind we issue a notebook PC to every member of teaching staff. Where this ...
  1. #16
    ijk
    ijk is offline

    Join Date
    Sep 2009
    Location
    M11/A11/A1307
    Posts
    47
    Thank Post
    9
    Thanked 8 Times in 6 Posts
    Rep Power
    12
    Quote Originally Posted by jamesfed View Post
    Bearing in mind we issue a notebook PC to every member of teaching staff.
    Where this isn't possible and users connect using their home computers, what measures do you think should be in place to protect internal networks?

  2. #17

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,887 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614
    I believe the area you are looking for is Configure Network Level Authentication for Remote Desktop Services Connections

    The device is authenticated as a valid device before a session is initiated, the user is then authenticated against the AD.

    I would also set restrictions so that you cannot transfer files from the RDS to the accessing device (basically you lock out USB, access to locally shared printers, etc).

    Also be aware that technology is not the only answer on this. You should have policies in place to tell staff that if they are doing this then they do not do it in a public place (where the screen is viewable by Joe Public), that they don't email themselves the data because you are restricting access to the local printers, USB sticks, etc ... and that the device (laptop) is not used by others (eg their family as a games machine).

    The Becta advice (released before MS Server 2008 R2 was out) really looked at ideas such as Citrix and Oracle SGD (or Sun SGD as it used to be) but this can be really costly for many schools not already going down this line for thin clients. As a word of warning ... most folk I know who have tried to set it up have had serious issues doing it with XP SP3 or Vista (ie it has not turned on the security) so when authorising RDP access for Northants schools I will only do it if they are using Server 2008 R2 and Win7 clients.

  3. #18

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    151
    Quote Originally Posted by jamesfed View Post
    Care to justify?

    We have a VPN for our staff powered by Forefront TMG - nice stable and secure all staff do is double click on a shortcut on their desktop and boom its like they never left the school. Bearing in mind we issue a notebook PC to every member of teaching staff.

    Currently looking at the updated Direct Access feature of Server 2012 - wasn't possible for us to implement it with 2008 R2 but 2012 is looking extremely promising
    If your providing devices, and have them locked down then it's a viable solution.


    However...
    If your letting teachers use their own ( or unsecure provided equipment ) who regularly visit MP3 & torrent download sites, let their kids play java games on the latest insecure site, click on the link that says "YOUR COMPUTER IS INFECTED CLEAN UP NOW", have kids who are hackers, send out their entire email address book to every virus writer in the world, ETC ( Add everything that seems to happen to "Unsuspecting" users..

    Then allowing them direct VPN access to your network should be taken with great care, just the same as BYOD devices within school.

    Rob

  4. #19

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,887 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614
    Quote Originally Posted by ijk View Post
    Where this isn't possible and users connect using their home computers, what measures do you think should be in place to protect internal networks?
    To be honest, if you are starting to go down the route of using home devices to connect then you have to start coughing up some cash at the school end to protect yourself. At work (an LA) we use Citrix with 2-factor authentication and restrictions on access to local resources ... and a hefty AUP to go with it, backed into our contract of employment.

  5. #20
    ijk
    ijk is offline

    Join Date
    Sep 2009
    Location
    M11/A11/A1307
    Posts
    47
    Thank Post
    9
    Thanked 8 Times in 6 Posts
    Rep Power
    12
    Quote Originally Posted by GrumbleDook View Post
    To be honest, if you are starting to go down the route of using home devices to connect then you have to start coughing up some cash at the school end to protect yourself. At work (an LA) we use Citrix with 2-factor authentication and restrictions on access to local resources ... and a hefty AUP to go with it, backed into our contract of employment.
    Quite. We don't provide our teachers with a school issued computer and do not use a VPN. I outlined our approach in a similar thread earlier this evening and came across this thread later. I think it's an interesting area. Briefly, we allow remote desktop connections from users personal equipment through a SSH tunnel. It works okay for us and doesn't connect their equipment to the network. I don't know how it would scale - only a handful of users have access (through desire/need rather than a sense of privilege) and it's there for a specific purpose at the moment, that of reading/approving reports twice a year. The costs involved are RDS cals, cost of Bitvise SSH server and cost of Bitvise Tunnelier client for each user (edit: plus time of course).
    Last edited by ijk; 26th September 2012 at 09:58 PM. Reason: pedantry

  6. #21
    ijk
    ijk is offline

    Join Date
    Sep 2009
    Location
    M11/A11/A1307
    Posts
    47
    Thank Post
    9
    Thanked 8 Times in 6 Posts
    Rep Power
    12
    Quote Originally Posted by GrumbleDook View Post
    Also be aware that technology is not the only answer on this.
    Sure, but this is a how do you do it thread. If someone is attempting to achieve a technical goal I believe it's important to focus on the technical aspects of that goal in a brain thread that is separated from the organisational aspects. If I work that way I find I get more done.

  7. #22
    jamesfed's Avatar
    Join Date
    Sep 2009
    Location
    Reading
    Posts
    2,214
    Thank Post
    138
    Thanked 347 Times in 293 Posts
    Rep Power
    90
    Quote Originally Posted by jmak View Post
    Any idea if this complies with BECTA/NAACE advice (I won't be allowed to implement anything that doesn't.

    Thanks
    BECTA no longer exists

  8. #23
    detjo's Avatar
    Join Date
    Feb 2008
    Posts
    399
    Thank Post
    14
    Thanked 61 Times in 51 Posts
    Rep Power
    33
    Quote Originally Posted by jmak View Post
    Any idea if this complies with BECTA/NAACE advice ..
    BECTA ?? Whozat? lol

    Cisco firewall/vpn an option?
    Last edited by detjo; 26th September 2012 at 11:06 PM.

  9. #24

    Join Date
    Nov 2011
    Location
    Cambridgeshire
    Posts
    561
    Thank Post
    158
    Thanked 81 Times in 71 Posts
    Rep Power
    25
    Quote Originally Posted by jamesfed View Post
    BECTA no longer exists
    I have had a hard day, but that hadn't slipped my mind. Just giving credit to the folks who created the document, rather than the organisation currently hosting it:

    http://cnp.naace.co.uk/system/files/...in_schools.pdf

    It still says BECTA on the front.

  10. #25

    Join Date
    Dec 2009
    Posts
    914
    Thank Post
    98
    Thanked 185 Times in 160 Posts
    Rep Power
    55
    We have a sonicwall which we are going to offer a web based RDP client for staff which they can access from anywhere as long as they have a machine and the internet

  11. #26

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,887 Times in 1,169 Posts
    Blog Entries
    19
    Rep Power
    614
    Quote Originally Posted by jamesfed View Post
    BECTA no longer exists
    The document is still valid and in use, and even referred to by DfE (I have been informed) when speaking with new schools (Free schools, academies, UTCs, etc). Presently it is hosted and used (under the Open Government Licence) by a number of agencies and groups including NAACE.



SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Access from home
    By button_ripple in forum How do you do....it?
    Replies: 30
    Last Post: 15th October 2008, 08:35 PM
  2. Staff Access from home????
    By thegrassisgreener in forum Windows
    Replies: 27
    Last Post: 3rd April 2008, 11:41 AM
  3. Network drive access from home
    By marvin in forum Windows
    Replies: 8
    Last Post: 21st January 2008, 02:19 PM
  4. SIMS - Accessing from Home
    By forcryingoutloud in forum MIS Systems
    Replies: 4
    Last Post: 29th November 2007, 11:40 PM
  5. Access from home???
    By Outpost in forum Wireless Networks
    Replies: 3
    Last Post: 11th February 2006, 01:01 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •