Securing the Connection
In the old days (last year), I depended upon SSL VPN software clients to secure these connections. Larger sites had remote access appliances that provided more capability, including “endpoint vetting” and clientless connectivity by means of sophisticated VPN portals, while also reducing CPU and memory load from the firewall. But SSL VPN had its own issues, including the need to work to secure the connection (such as limiting “lateral movement” inside the target network, and more). SSL VPN also doesn’t include integrated, full-featured multifactor authentication (MFA) that most of us consider baseline nowadays. SSL VPN connectivity remains an important arrow in the remote access quiver, but it wasn’t right for this sudden need.
This is where proxied Microsoft Remote Desktop (RDS) connectivity comes in. While an RDS gateway offers a quick and dirty answer, it doesn’t check all the security and management boxes; there are also concerns about management, privacy on the target machines, and more, so the search continued. When I found TruGrid SecureRDP, I was intrigued. It seemed too good to be true, but within hours of use, I was sold. And as interest in remote connectivity ticked up and I realized just how dramatically our clients’ needs were going to increase, I dove in, much more quickly than I normally would.
We don’t have the space to review the solution in depth, but to briefly summarize, you can think of it as an enhanced RDS client, working through a hosted and secured web proxy. It is delivered by means of either a browser plugin or a “connector” client installed on the remote machine. On the back end, you install TruGrid’s Sentry application, which is an Active Directory connector. Next, you create a security group to enumerate users who should be granted remote access. In TruGrid’s hosting space you create the target machines that are to be accessed remotely, and then designate whom has access to which machine(s). Additionally, you have access to statistics on who connects from where and when to what, and a bit more.
There is more to like, such as the ability to fine-tune hosting sites, “direct connect” options, integrated MFA with push capabilities (if you use TruGrid’s iOS or Android app), and more. And since this is all based on RDP/RDS, you can also control the connection by group policy, limiting drive, printer and other resource remapping, and more; and managing your data leak prevention risk. Once you’re good at it, you can expect a 20-minute server install, 20 minutes in TruGrid’s cloud, and 10 to 20 minutes per remote machine. That remote install is simple enough that many users can do it on their own. But nothing is perfect and there were some early authentication issues, but they were addressed quickly, right in the midst of our March COVID-19 madness.
Further Down the Road
In the short term, DNSFilter agents and secure, proxied access from TruGrid are a great start on securing the new endpoints we now support. Longer term, our goal is to completely secure these new endpoints to the level of our fully managed ones. They will not be sitting behind UTM firewalls any time soon, but we can apply the rest of our stack to them, including RMM agents, patch management, EDR clients and SOC services, dark web alerting, and user training.
Perhaps a more secure remote workforce will be the new normal and a silver lining to this amazing challenge we are all facing.
JOSHUA LIBERMAN is president of Net Sciences, founded in 1996. A 25-year ASCII Group member, former rock climber and martial artist, and lifelong photographer, Liberman has visited five continents and speaks many languages. He also writes and speaks in the IT field and raises Siberian Huskies with his wife Heidi, who calls him the Most Interesting Geek in the World.
Opening image: Courtesy of TruGrid