Secure Remote Access Technical Solution Guide v1.0
______________________________________________________________________________________________________
8
system. The mechanism must be tied to a process that alerts system administrators of failed
logon attempts and requires follow-up with appropriate action.
Define a procedure to reset expired or locked-out passwords that requires providing additional
private information that is only known to valid users.
2.3 Client admission, compliance, and remediation
In addition to user authentication, check the security policy compliance of endpoints, such as
PCs, laptops, and other devices connecting to your network, before they are admitted. Establish a
minimal set of criteria that includes:
Antivirus protection and signature updates
Personal firewall to protect PCs while connecting through the Internet
Antispyware to detect and remove software that collects personal information
Required operating system type, version, and service pack level
You can also use this minimal set of requirements to distinguish managed devices from shared
PCs such as Internet kiosks and home computers. In the case of non-compliance, you can deny
access or provide access to a minimal set of controlled web applications based on the security
sensitivity of your environment. You may also wish to provide a remediation portal for non-
compliant devices with access to software updates, patches, and other tools.
2.4 Establish authorization based on user and network context
Employ the security concept of least privilege – only allow access to the minimal set of
applications and network subnets required for each group of remote access users. In general,
remote access users do not need full IP access to all parts of your network, including desktop
subnets and all application servers. Use per-group access controls as a baseline for limiting
access. Augment this baseline with additional rules to allow or deny access based on:
Authentication strength (client-certificate use, simple password or OTP/two-factor)
Device type (managed or non-managed/shared)
Source IP address (applicable for home-based teleworkers with static IP assignments)
Results of endpoint compliance scanning
Access type (such as web-only access or full IP access through virtual network adaptors)
2.5 Inspect and track remote access user activity
After users are granted access, it is critical to continually monitor and log activity. Check endpoint
compliance periodically to determine if rogue software successfully disabled security software
during a session.
Ensure that key security and information access related events are logged to a centralized event
manager, such as a syslog server or security event/incident collector. Examples of items to track
include:
Successful and failed logon attempts, including source address and username
Session start and stop times
IP assignment of private addresses with correlation to username
(92 paginas)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comentarios a estos manuales