+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 31
MIS Systems Thread, Staff Access to SIMS from Home in Technical; We have terminal server set-up which does work well but there is a per user connection cost, so have now ...
  1. #16
    jmcdermott's Avatar
    Join Date
    Feb 2008
    Location
    Cornwall
    Posts
    174
    Thank Post
    16
    Thanked 43 Times in 35 Posts
    Rep Power
    21
    We have terminal server set-up which does work well but there is a per user connection cost, so have now set up openVPN on a cheap desktop machine on a linux server. Each staff laptop (which is encrypted) is configured to access the vpn and so far it has been a great success for sims and network shares and outlook, all for free apart from cost of a machine.

  2. #17

    Join Date
    Mar 2014
    Location
    Lancashire, United Kingdom
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Heebeejeebee View Post
    Think carefully before allowing access unless you can create a well locked down, very little information shown (no photos, addresses, contacts etc.) user that they can access from outside the school that still allows them to do what they need to do.

    HBJB
    We've never had a problem with it.

    The only people who use our remote access use their staff laptops which have pretty strong passwords on them, then they have to use the VPN (A different password) then two more passwords before they can get anywhere.
    I know that sounds like the situation where people would write the passwords down but believe me I've never seen people with such good memories.

    The only thing we're concerned about with relation to SIMS is installing the application on devices that are taken out of the school, we outright refuse to do it.

  3. #18
    Marshall_IT's Avatar
    Join Date
    Jul 2011
    Location
    Leeds
    Posts
    540
    Thank Post
    78
    Thanked 78 Times in 63 Posts
    Blog Entries
    1
    Rep Power
    21
    Quote Originally Posted by Garry1103 View Post
    We've never had a problem with it.

    The only people who use our remote access use their staff laptops which have pretty strong passwords on them, then they have to use the VPN (A different password) then two more passwords before they can get anywhere.
    I know that sounds like the situation where people would write the passwords down but believe me I've never seen people with such good memories.

    The only thing we're concerned about with relation to SIMS is installing the application on devices that are taken out of the school, we outright refuse to do it.
    I think the point is more, logging in and leaving the laptop unattended, or someone just looking over the shoulder of the staff member.

    People trust their family and friends but that doesn't mean to school necessarily should do.

  4. #19

    Join Date
    Mar 2014
    Location
    Lancashire, United Kingdom
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Marshall_IT View Post
    I think the point is more, logging in and leaving the laptop unattended, or someone just looking over the shoulder of the staff member.

    People trust their family and friends but that doesn't mean to school necessarily should do.
    I get your point here, We've made it a point to be harsh about the whole "Lock your computer" situation, Then again I do agree with the statement the school has no reason to trust someones family members.

  5. #20
    Heebeejeebee's Avatar
    Join Date
    Nov 2006
    Location
    Intergalactic Cruise
    Posts
    1,057
    Thank Post
    69
    Thanked 79 Times in 62 Posts
    Rep Power
    35
    Quote Originally Posted by Marshall_IT View Post
    I think the point is more, logging in and leaving the laptop unattended, or someone just looking over the shoulder of the staff member.

    People trust their family and friends but that doesn't mean to school necessarily should do.
    Exactly - it's not about passwords or the fact that it's a school laptop - it's about them potentially having it on screen and walking away to make the dinner or having someone look over their shoulder. You cannot guarantee that the data is safe.

    HBJB

  6. #21

    Join Date
    Sep 2008
    Posts
    132
    Thank Post
    15
    Thanked 11 Times in 8 Posts
    Rep Power
    14
    another preventative measure we have in place is a fairly tight 5 min idle timeout on RD connections. Does it stop someone looking over your shoulder? No. Does it mean that you can leave the computer and no-one see Sims? Of course not. But it does cut down the window of time in which it can happen. This, coupled with a separate Remote Access AUP tied to the schools disciplinary policy, means that we have got the risk factor down to what we view as an acceptable level.

  7. #22

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,682
    Thank Post
    692
    Thanked 1,408 Times in 1,166 Posts
    Rep Power
    354
    You can create quite a simple two factor auth system using code from Google and the Google Authenticator app, I've not done it but all you need is a simple front end to do the first auth with which then passes you on to a second login page. At least this would work well for a web based system.

    I actually use GA with my hotmail account !

    As for security of information this is a valid point and organisations need to have security and more importantly a policy, in place. Most modern MISes have web based access and that is full access, no locked down version. It's only SIMS where we try to find these work arounds, but even with their SLG product I don't think the access is locked down. It's up to the school to think about this, and as IT Pros our job to inform them of the need for this, even though the buck stops at the Head or whoever is higher up.

  8. #23

    Join Date
    Nov 2008
    Location
    Weston-super-Mare
    Posts
    41
    Thank Post
    2
    Thanked 4 Times in 2 Posts
    Rep Power
    12
    Quote Originally Posted by vikpaw View Post
    You can create quite a simple two factor auth system using code from Google and the Google Authenticator app, I've not done it but all you need is a simple front end to do the first auth with which then passes you on to a second login page. At least this would work well for a web based system.

    I actually use GA with my hotmail account !

    As for security of information this is a valid point and organisations need to have security and more importantly a policy, in place. Most modern MISes have web based access and that is full access, no locked down version. It's only SIMS where we try to find these work arounds, but even with their SLG product I don't think the access is locked down. It's up to the school to think about this, and as IT Pros our job to inform them of the need for this, even though the buck stops at the Head or whoever is higher up.
    So correct me if I'm wrong then.

    Our staff need to have one of our laptops before they can connect remotely. They need to enter their Network credentials to access the Remote App, they also have a separate SIMS username and Password before they can access SIMS. What's the thoughts around that scenario?

    harriuk

  9. #24

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,682
    Thank Post
    692
    Thanked 1,408 Times in 1,166 Posts
    Rep Power
    354
    If they can only access through the laptop that is the first factor (physical) then the uname and pword is second (mental??) so that's good.
    To mitigate social engineering / careless practise you just need a policy to ensure they are made aware of risks and that they use best practice such as locking machine, not printing out, ideally not downloading data to laptop unless it's encrypted and password protected etc.

  10. #25

    Join Date
    Nov 2008
    Location
    Weston-super-Mare
    Posts
    41
    Thank Post
    2
    Thanked 4 Times in 2 Posts
    Rep Power
    12
    Quote Originally Posted by vikpaw View Post
    If they can only access through the laptop that is the first factor (physical) then the uname and pword is second (mental??) so that's good.
    To mitigate social engineering / careless practise you just need a policy to ensure they are made aware of risks and that they use best practice such as locking machine, not printing out, ideally not downloading data to laptop unless it's encrypted and password protected etc.
    Excellent, that's what I thought!, Our legacy laptops only allow them to save into their N: Drive, nowhere else, this is synced offline and encrypted. Our newer laptops are totally encrypted. As for the Risks we have a pop up on the gateway that explains these risks.

    Thanks for the info.

    harriuk

  11. #26

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,682
    Thank Post
    692
    Thanked 1,408 Times in 1,166 Posts
    Rep Power
    354
    Sounds pretty good.
    We can't ever overcome the human factor. If they have access to data, then they can write it down, take a photo, all manner of silly things, so it's all about not making it too easy for them to be careless and educating them on the risks.

    I find so many people still use Post-ITs I'm tempted to recommend a simple password policy, just long length with little to no complexity, combined with regular changes.

  12. #27
    Fazza's Avatar
    Join Date
    Jun 2012
    Location
    England
    Posts
    207
    Thank Post
    4
    Thanked 23 Times in 21 Posts
    Rep Power
    8
    You could set up a VPN connection and only allow them access to your SIMS .net server or RemoteApp is another good alternative. We use RemoteApp and it works well - no complaints so far! However, we had issues with RemoteApp on Server 2012 and 2012 R2 so we went back to 2008 R2 and it worked without any hassle.

  13. #28
    Marshall_IT's Avatar
    Join Date
    Jul 2011
    Location
    Leeds
    Posts
    540
    Thank Post
    78
    Thanked 78 Times in 63 Posts
    Blog Entries
    1
    Rep Power
    21
    Has anyone got 2 factor authentication solution for SLG?

  14. #29

    vikpaw's Avatar
    Join Date
    Sep 2006
    Location
    Saudi Arabia
    Posts
    5,682
    Thank Post
    692
    Thanked 1,408 Times in 1,166 Posts
    Rep Power
    354
    Quote Originally Posted by Marshall_IT View Post
    Has anyone got 2 factor authentication solution for SLG?
    Maybe Microsoft will have one in the pipeline... CIAOPS: Microsoft acquires two factor provider
    Couldn't see another way, though there are paid for solutions that will work with Microsoft TMG so if you have that maybe you could put a layer in front.

    Or find a developer to write a webpart for it..

  15. Thanks to vikpaw from:

    Marshall_IT (16th March 2014)

  16. #30
    robjduk's Avatar
    Join Date
    Jun 2011
    Posts
    469
    Thank Post
    17
    Thanked 68 Times in 53 Posts
    Rep Power
    23
    Just got SIMS working via remote app here and works great (using IE or an iPad, others... meh most work). Like Fazza, we use 2012R2 and have issues when using Windows 8.1 but it does seem stable and easy to use. SIMS on an iPad is great.

SHARE:
+ Post New Thread
Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Access to files from home
    By imkzru in forum How do you do....it?
    Replies: 20
    Last Post: 7th February 2013, 06:03 PM
  2. [SIMS] Agency access to sims
    By ozydave in forum MIS Systems
    Replies: 9
    Last Post: 1st February 2011, 10:32 PM
  3. Giving Administrators and Staff access to Student Home Drives
    By madman070578 in forum Windows Server 2000/2003
    Replies: 6
    Last Post: 22nd October 2009, 07:51 PM
  4. Staff Access to Student Home Drives?
    By noser in forum Windows
    Replies: 15
    Last Post: 21st October 2008, 02:55 PM
  5. Accessing Sims from home?
    By sparxx in forum MIS Systems
    Replies: 19
    Last Post: 6th September 2007, 09:41 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •