Risks of Microsoft Remote Desktop access behind a secure VPN

Question

This is mostly for my own education, but a scenario has came up at work that has me skeptical. I'd like for the security experts to tell me if this policy is overbearing or not.

I remote into a VPN from my home PC, non-company issued. It installs Aventail onto the machine and destroys all cached data upon log off. It also does some sort of scanning via Sonicwall. My question is this: The VPN gives me full network access, which includes the ability to remote into my work PC. The company is now turning this off, citing a huge security risk. Is that really true? If someone already has my login to the VPN and it gives them full network access, isn't that already putting the company into DEFCON 1 mode? Is the whole RDP thing really a major additional risk after that? I'm not really seeing the reasoning behind it, but hopefully someone can shed some light on it.

Answer 1

It's strict, but I wouldn't say it's overbearing.

Let's say there are two ends of the pool, with corporate networks. On the shallow end it's wide open, with no internal firewalls between desktops and servers. You can go to any app, any server, any port, from anywhere. On the deep end, networks are segmented and access controls enforced. Only Finance can go to the Finance servers. Everybody can go to port 443 on the Wiki server, only the admin network can go to port 22. Things like that.

In all but the shallowest networks, remote access users are considered the least trusted. Any filters in place will be in place for them. The company doesn't have physical control over those systems, so they don't get the fullest set of access.

Allowing RDP to desktop users is a way of negating that control. Someone on an untrusted remote PC who can RDP to an internal desktop gains, in essence, trusted access. And that can be a big problem. I can remember how Xerox took themselves off the Internet for a week back in the mid-90s because someone broke into an engineer's home in order to sit in front of his PC which had ISDN access to the Xerox internal network. Took them a week to clean up, and they just shut off the pipes until it was clean.

Now, you'll argue, the fact that secondary credentials is necessary to RDP after you've VPNed is a compensating control. That's a true point. But the fact of the matter is, if ACLs of some sort are in place to limit access from VPN users, then RDP is a way to circumvent those limits. That's why you run into this sort of policy with some regularity.