Looking for a remote access solution
-
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
-
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
-
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
Are you stupid?
-
@jaredbusch said in Looking for a remote access solution:
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
Are you stupid?
Always.
-
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
Jared is saying to RDP into the PC in the DC I mentioned as an option.
But how you were reading it, is how I first read his recommendation - then duh.. realized the RDP part... which is a great idea...
-
@dashrender said in Looking for a remote access solution:
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
Jared is saying to RDP into the PC in the DC I mentioned as an option.
Which you can also do with VPN solutions.
-
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
Jared is saying to RDP into the PC in the DC I mentioned as an option.
Which you can also do with VPN solutions.
ZT is a VPN solution.
-
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
Jared is saying to RDP into the PC in the DC I mentioned as an option.
Which you can also do with VPN solutions.
ZT is a VPN solution.
Not of the type you were discussing. Don't be a Scott.
OpenVPN with MFA: https://openvpn.net/blog/openvpn-mfa-setup-community-edition/
-
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-freeJust use ZT to lower (all but remove) the attack surface.
-
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-freeJust use ZT to lower (all but remove) the attack surface.
There you go - I like that, and Duo has a free tier for 10 users.
-
@dashrender said in Looking for a remote access solution:
This mostly leads to a VDI type solution, at least in my mind.
Start with RDS. Only look at VDI when RDS isn't possible. RDS is easier to manage, less costly. (All this assuming that Windows is a requirement.)
-
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
ZT + RDP IS MFT!!!
-
@pete-s said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
If you can't run over VPN due to latency, you can't run over Zerotier. It will be exactly the same.
In this example, ZT is just for encapsulating RDP. So it's RDP encryption, not the app over VPN.
-
@jaredbusch said in Looking for a remote access solution:
Not of the type you were discussing. Don't be a Scott.
Always a type discussed if someone mentions VPN and knows anything. ZT is no more special or niche than any other VPN. It's every bit as much a VPN as some random other assumed solution.
To most people, VPN is purely a Netflix location trickery tool and has nothing to do with security or access to resources.
-
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-freeJust use ZT to lower (all but remove) the attack surface.
That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.
-
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-freeJust use ZT to lower (all but remove) the attack surface.
There you go - I like that, and Duo has a free tier for 10 users.
But not required. You have 2FA without it. ZT cert + RDP password.
-
@scottalanmiller said in Looking for a remote access solution:
To most people, VPN is purely a Netflix location trickery tool and has nothing to do with security or access to resources.
I don't know about that - at least not anymore. The pandemic I think brought VPN and security into the general conscious.
-
@scottalanmiller said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-freeJust use ZT to lower (all but remove) the attack surface.
That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.
As it's been AGES since I've used ZT - can you make the user have to log into it each time they launch it? If yes - and it's logon isn't associated with AD (as you mentioned) then OK - I see how you consider ZT and RDP MFA.
-
@dashrender said in Looking for a remote access solution:
@scottalanmiller said in Looking for a remote access solution:
To most people, VPN is purely a Netflix location trickery tool and has nothing to do with security or access to resources.
I don't know about that - at least not anymore. The pandemic I think brought VPN and security into the general conscious.
Yes, but in the way that I said. Everyone knows the term, everyone thinks it's a thing for Netflix. Two years ago, a few people knew it. Now with the boom of YouTubers and these "VPN products" being sold through all the consumer channels, the pandemic has made "VPN as entertainment" a forefront thing.
-
@dashrender said in Looking for a remote access solution:
@scottalanmiller said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
@dashrender said in Looking for a remote access solution:
@jaredbusch said in Looking for a remote access solution:
Put zerotier on the box in the DC and the user's box. restrict it to only RDP.
Done.
I really like this - sadly - our insurance policy requires MFA for remote access. I'll have to see if ZT has anything for that.
Then put the 2fa on the Windows RDP login with a service like Duo.
https://duo.com/docs/rdp
https://duo.com/editions-and-pricing/duo-freeJust use ZT to lower (all but remove) the attack surface.
That would get them up to 3FA (which isn't a bad thing) assuming ZT isn't somehow tied to some other authentication mechanism.
As it's been AGES since I've used ZT - can you make the user have to log into it each time they launch it? If yes - and it's logon isn't associated with AD (as you mentioned) then OK - I see how you consider ZT and RDP MFA.
The user can be forced to start or stop the process. The fact that it uses a key (something you have) owned by the user makes it MFA regardless of if they automate the login or force it to be manual.
Don't try to compare it to Duo or something like that which uses "something you have" to generate "something you know." Compare it to a security USB stick like YubiKey. It's a direct "something you have" 2FA in that sense.
