Access Rights and Access Controls in the Remote Access Domain

The degree to which you grant rights and permissions to remote users depends on your general access model and your operating system. In most cases, remote users accessing your environment via a VPN enjoy the same rights as users on your LAN. The idea behind a VPN is that once it is established, it operates just like a LAN. VPN users are essentially the same as other LAN users. Although it is possible to exclude some users from accessing your network using a VPN at the operating system level, it is generally easier to use the remote access authentication server to define which users can use remote access.

The main goal for all networking issues is to keep things simple. Complexity leads to an increased exposure to risk and requires more effort to maintain. Try to keep three lists of users: internal network users, remote access users, and global users. If you don’t need to separate most local and remote user rights, then just defining a global user list keeps things simple. After you create the users, you’ll need to support remote access. Your operating system provides the ability to define what each user can do through permissions or access control lists (ACLs).

In addition to user rights, your remote access servers can define how you handle remote connections. You should set up VPNs to appear as networks that are separate from your physical LANs. Defining all VPNs in a specific range of subnets gives you the ability to define filtering or access rules that affect just your VPN connections. Defining rules for VPNs gives you the ability to identify and filter suspicious traffic or any traffic that is not authorized. For example, suppose you want to prohibit remote users from using Server Message Block (SMB), a protocol used to map network resources as shares. You could set a rule in a firewall that sits between your VPN endpoint and your LAN to drop any TCP traffic for the default SMB port, 445. In this way, you prohibit any SMB access from your VPNs.

You can use user rights, permissions, ACLs, and firewall rules to restrict what remote users can do. Document what you’ll allow remote users to do and use the appropriate controls to enforce your rules. The more remote users can do, the greater the risk to your data security. Allowing remote users to access your environment can increase your organization’s effectiveness at the risk of reducing your overall security. Ensure you have the necessary controls in place to limit what remote users can do and to ensure your data are safe regardless of where it travels.