These have been extraordinary times for the world, our country, our school districts and our families. We are implementing remote learning plans and remote access plans to keep the district functioning in this time of social distancing, crowd restrictions and mandated closings. Despite the chaos around us, the back-end of every school district must continue to run as we sort out what remote learning means and how it will be implemented.
For most of you that means creating additional VPN accounts so every staff member who legitimately needs to access the district remotely and productively can do their work.
My understanding is that requests for VPN accounts are coming in at a record pace.
At the same time the Federal Government is warning that hackers are eager to exploit your remote, and in most cases, unmanaged endpoints that are now the new edge of your internal network. Here is an article summarizing the threat:
Below are a few items to consider in your VPN deployment:
- VPN connections make the remote computer part of the district's network. Is that computer a district owned and maintained laptop? Is it a district employee owned computer? You have worked so hard to maintain the integrity and safety inside your district. You need to do the same with these VPN connections.
- VPN connections can be setup to allow the connected computer have local file access while connected to the district's network or not. You need to decide your policy. Generally we would say no local access if you are connected to the network.
- VPN Connections can allow the connected user to resolve actual server names so that drives map correctly. If you can't resolve internal device names on your internal network, you are missing a policy.
- There should be access control rules (ACL) that go with each VPN connection limiting the user to access specific servers and workstations. For instance I can remote to my desk or access the share on the accounting server, but not see or access any other workstation or server.
- You should have a group policy to allow RDP through the Windows firewall to specific workstations from for specific users from a specific address or address range.
- Under no circumstances should you open a VPN connection that allows a staff member to see the entire network.
If the workstations in your network should be considered the wild west, then an employee workstation not maintained by the district should be considered an active war zone.
I realize you have to get things running ASAP, but we cannot gut our security and allow another massive ransomware event to enter to through the VPN connection from these stations.
In closing I have a few other suggestions you need to actively pursue and implement to better secure your VPN connections:
- Implement multi-factor authentication with all VPN accounts.
- Implement multi-factor authentication for all RDP connections into your network for approved staff.
- Make sure you have a centrally managed Endpoint Detect and Response (EDR) client like CSI's CyberSentinel Endpoint Detect & Respond (CSEDR) client. That endpoint at home is the weakest link on your network.
- Long-term plan for a true virtual desktop (VDI) implementation like VMware Horizon View to eliminate VPN connections entirely.
There is a lot of ground to cover and with these users coming on-line as I write this note, time is of the essence for getting the immediate security steps implemented. Our staff stand ready to help you roll these VPN connections out as quickly as possible. If you need help implementing or planning your next steps, give us a call.