gray_box2

lightgreenbg

Connect to AD or LDAP for Authentication and Authorization

noneright#eff5d5Use As DefaultConfigure your systems to authenticate to LDAP or AD. This eases the management of authentication and authorization, and helps Tufts collect and correlate authentication events more efficiently.

whitebg

Use Your Firewall to Require the VPN for Off-Campus Access

nonerightUse As DefaultUnless direct public access is absolutely required, configure your host firewall to only allow remote access connections (like SSH and RDP) from on-campus (130.64.0.0/16). Or go one step farther and only allow the Tufts subnets you need (e.g., your own subnet, plus the VPN - which is at 130.64.26.0/23).

lightgreenbg

Encrypt Data In Motion

noneright#eff5d5Use As DefaultUse encryption for all remote access authentication. RDP and SSH are encrypted out of the box, but VNC, telnet, and others are not. If possible, only enable encrypted remote access services and turn off all unencrypted access services.

whitebg

Stay Up-To-Date

nonerightUse As DefaultIt's very important to keep all of your network-available services up-to-date. If serious flaws are uncovered in your remote access program, it's update immediately or shut the service off until an update can be deployed.

lightgreenbg

Use a Different TCP/IP Port

noneright#eff5d5Security/Usability Trade-OffDepending on the kind of service you run, and the audience to which it is provided, you may be able to run your remote access service on a non-default port. This will not stop dedicated port scanners, but can remove a lot of noisy traffic just looking for open services with weak or stolen passwords. This may or may not be appropriate in your environment.

whitebg

Run a Blacklisting Application

nonerightSecurity/Usability Trade-OffSome services can work well with a blacklisting program to block access to source IPs with too many failed logins. One of the most common is denyhosts for SSH.

lightgreenbg

Consult With Others

Don't hesitate to consult with others who run similar environments, within UIT and across Tufts. You can also contact UIT's Information Security team at any time to discuss best practices and how they apply to the Tufts environment.

Browser not supported