Some of the most sensitive points in your IT infrastructure are the entry points from remote users and systems. It is important that you carefully consider how remote users connect to your network and how you ensure these connections do not compromise your security. One straightforward way to control access to your network and any resource on it is to employ an aggressive user-based set of access controls. Computer security experts use many models to manage user accounts over large networks, but one particular strategy provides clarity and security. The AGULP approach provides a method for managing any number of users predictably. AGULP is an acronym that stands for:

• Accounts

• Global groups

• Universal groups

• Local groups

• Permissions

The idea behind AGULP is to systematically nest individual user accounts in groups to make securing objects more general. The first step is to create separate user accounts for each user. Creating separate user accounts for each user’s role adds an extra step of security. In this case, a user may have more than one account. You then add user accounts to global groups, according to the users’ shared attributes. These attributes can be geographical or functional, such as manufacturing or human resources. Next, add global groups to universal groups, or groups that are defined for users in any domain in Active Directory. After that, add global groups and universal groups to local groups on computers that contain resources you want to secure. This strategy avoids the need to add individual users to local groups. Finally, you define the permissions for secured resources, or objects, for local groups. The AGULP strategy allows you to reduce the number of access control lists (ACLs) for each resource. Use AGULP to decide how many users and groups you need of each type to reduce the administrative load.

Additionally, to maintain secure access for remote clients, check this list of best practices:

• Map your proposed remote access architecture, including redundant and backup connections. Use one of the several available network mapping software products to make the process easier.

  • Update the network map any time you make physical changes to your network.

• Install at least one firewall between your VPN endpoint and your internal network.

• Select a VPN provider that your clients can easily access. If you select a vendor-specific VPN solution, develop a method to distribute and maintain the VPN client software to your users.

• Use global user accounts whenever possible:

  • Use strong authentication for all user accounts.

• Create a limited number of administrative accounts with permissions for remote administration.

• Develop a backup and recovery plan for each component in the Remote Access Domain.

  • Do not ignore backing up and recovering configuration settings for network devices.

• Implement frequent update procedures for all OSs, applications, and network device software and firmware in the Remote Access Domain.

• Monitor VPN traffic for performance and suspicious content.

• Carefully control any configuration setting changes or physical changes to domain nodes.

  • Update your network map after any changes.

• Require encryption for all communication in the Remote Access Domain.

• Enforce anti-malware minimum standards for all remote computers as well as server computers in the Remote Access Domain. Ensure all anti-malware software and signature databases remain up to date.