Scope
This standard applies to all employees, contractors, vendors and agents with a CUIMC-owned or personally-owned computer or workstation used to connect to the CUIMC network from remote locations or from insecure wireless locations on campus.
Purpose
This standard provides basic guidance designed to ensure that a user’s remote access connections to the CUIMC network are given the same security protection as a user's on-site connections.
Any system used for remote access must comply with applicable CU and CUIMC Policies and Procedures. This applies even if the device used for remote access is personally owned. This includes but is not limited to the following:
- The remote system must be registered with a Certified IT Group.
- The remote system must be updated with latest patches and antivirus protection.
- The remote system must be full-disk encrypted.
General Standards
- Applications for the software enabling remote access into the CUIMC network must be reviewed and approved by the user’s manager.
- All remote devices (workstations, laptops, tablets, etc.) must connect to the CUIMC network through the CUIMC Virtual Private Network (VPN). Any exceptions to the above must be reviewed by the CUIMC Information Security Office.
- Remote access tools must support strong, end-to-end encryption of the remote access communication channels.
- Each remote user must have an Active Directory (MC Domain/Dept. Domain) account.
- Generic or group user accounts shall not be used when working with remote desktops.
- Authorized users shall protect their login UNI and password, even from family members.
- While the remote CUIMC workstation is running on a device, no other remote network connections can be running.
- Data in the CUIMC network is considered proprietary. Remote users shall not copy any data from the CUIMC network into non-managed CUIMC devices connected to the remote device.
- The remote device must use up-to-date anti-virus and anti-spyware software. The anti-virus and anti-spyware software must not be disabled or circumvented during the remote desktop session.
Remote Device Configuration
It is recommended that the remote device configuration be secured by implementing the following:
- Enable the parameters that allow remote assistance connections, allow remote connections, and allow connections from computers running remote desktop with NLA.
- Enable the remote device firewall to allow remote desktop to communicate through the firewall.
- Require secure RPC communications.
- Specific security layer for RDP communications – set to SSL (TLS 1.0 and TLS 1.2).
- Sessions should be configured to time out after 15 minutes of inactivity.
- Change the port used to listen for remote desktop connections from the default of 3389 to a non-standard port number.
Session Monitoring
The Remote Desktop Servers (RDS) should monitor all remote desktop sessions. Information on remote users, sessions, and processes should be captured and retained.
Remote desktop users should be aware that their sessions may be monitored when remotely accessing the CUIMC network or whenever they use CUIMC computer resources.
References