Remote Access

Owned by Former user (Deleted)
Last updated: Jun 25, 2012 by Rebecca.DeweyVersion comment

Remote Access

As a support provider, you may need to enable remote access (RDP, SSH, etc.) to support your systems. It's important to strike the right balance between open access and strict limitations so that you can get your work done effectively while preserving security.

To maintain system security, consider these baseline recommendations.


Connect to AD or LDAP for Authentication and Authorization

Configure your systems to authenticate to LDAP or AD. This eases the management of authentication and authorization, and helps Tufts collect and correlate authentication events more efficiently.

Use Your Firewall to Require the VPN for Off-Campus Access

Unless direct public access is absolutely required, configure your host firewall to only allow remote access connections (like SSH and RDP) from on-campus (130.64.0.0/16). Or go one step farther and only allow the Tufts subnets you need (e.g., your own subnet, plus the VPN - which is at 130.64.26.0/23).

Encrypt Data In Motion

Use encryption for all remote access authentication. RDP and SSH are encrypted out of the box, but VNC, telnet, and others are not. If possible, only enable encrypted remote access services and turn off all unencrypted access services.

Stay Up-To-Date

It's very important to keep all of your network-available services up-to-date. If serious flaws are uncovered in your remote access program, it's update immediately or shut the service off until an update can be deployed.

Use a Different TCP/IP Port

Depending on the kind of service you run, and the audience to which it is provided, you may be able to run your remote access service on a non-default port. This will not stop dedicated port scanners, but can remove a lot of noisy traffic just looking for open services with weak or stolen passwords. This may or may not be appropriate in your environment.

Run a Blacklisting Application

Some services can work well with a blacklisting program to block access to source IPs with too many failed logins. One of the most common is denyhosts for SSH.

Consult With Others

Don't hesitate to consult with others who run similar environments, within UIT and across Tufts. You can also contact UIT's Information Security team at any time to discuss best practices and how they apply to the Tufts environment.

Information on the Tufts IT Knowledgebase is intended for IT Professionals at Tufts.
If you have a question about a Tufts IT service or computer/account support, please contact your IT support group.