RDP on work computer

[hal_incandenza]

My work from home setup for the last few years has been connecting my work laptop to my local network, and then connecting to it using RDP from my desktop. This way I have one keyboard/mouse and share the same monitors. "Going to work" is just opening RDP and stopping work is just minimizing/closing the RDP window.

Got a new laptop recently, and RDP connections are not enabled. I asked IT to enable it and they are giving me a hard time about it. I feel like if they are OK with my work laptop being on my home network, connecting to it with RDP from within my LAN is less of a security risk than just being on my LAN in the first place. Am I wrong about that? Any advice on the arguments I can make in favor of it not being an unacceptable security risk?

 

[hal_incandenza]

It's a pretty non-traditional workplace, I work in the front office for a pro sports team. So while we have an IT department, we are not necessarily completely at the mercy of their policies. Within reason I can escalate to my bosses and override things they decide on, and we have had to do so in the past.

The bosses also have a pretty low opinion of their competence because of a number of issues we have had with them. A couple of examples to illustrate the magnitude: our main point of contact is a director level employee who manages our server infrastructure, and he routinely ghosts us when we have important issues that need solving. Will completely ignore emails and Teams messages and follow ups for days/weeks on end. The most unprofessional behavior I've ever seen. The same guy occasionally reaches out to say he needs to install Microsoft security patches on our production database server that also runs a bunch of ETL/report automation. Multiple times, despite our explicit instructions to only install OS/MSSQL patches, he has just blindly clicked the "Update All" button in the program he uses to identify software with updates available, and taken down our entire reporting system by hosing our installation of R and the packages we use. Professional head coaches do not accept "well IT upgraded R when we told them not to and introduced breaking changes so nothing works until we can roll back" as an answer why they didn't get their reports.

It also is not officially their policy. When I asked them to enable it I was at home on VPN, and they kind of embarrassed themselves. First the tech who took over my machine was unable to find the setting to enable RDP connections and I sat there watching him fumble around for 5 minutes until I just opened it for him. Then the director from above tried to do it and got stuck when he couldn't see the admin password popup using the software to take over my machine. They recently took away local admin rights, so this raised an even bigger issue that they are unable to do something that requires admin rights when someone is remote on VPN. That's a major problem because half of my staff works remote. Only when he realized that did he try to save face and say "actually I'm not going to do this because security". They already knew I'd been doing this for years and changed their minds on a dime when they got caught in this rather untenable situation.

Long story short, I can potentially force an override to their policy, I just need to be armed with reasonable arguments about the security of doing it.

 

[hal_incandenza]

This is the team I am dealing with. I just got a new laptop and they didn't install ODBC drivers. When I requested them:

 

[hal_incandenza]

They don't need to tell you or write down their official policy. What you don't want to be is the Goat in this situation. The Scape variety. Because the worst that can happen is they lose your company's contract. Which is probably not the end of the world for them.

Maybe because of all the RDP flaws and exploits they decided to step up the security game. It's a work assigned laptop. Or maybe they finally caught wind of outsourcing scams that probably were industrial espionage. In which they decided to change policy and not really need to tell you about it.

https://www.npr.org/sections/thetwo...ced-employee-sends-own-job-to-china-surfs-webhttps://www.cloudflare.com/learning/access-management/rdp-security-risks/

There is no contract to lose, we are all directly employed by the team. The entire purpose of our existence is to operate the team and win games. There are no outsourcing scams, we are a very small staff running a professional sports team. This IT staff exists solely to support the operations on the sports side, i.e. provide and service hardware and software for us.

 

[hal_incandenza]

And I am not asking for RDP over the internet, this is strictly inside my own LAN

 

[hal_incandenza]

Right, but the replies you have given show you are not considering the potential security issues.

The most common security problems that happen on corporate networks/resources are often caused by users who install/execute/click on things they should not touch or things they might not even see which can use zero-day attacks, drive-by attacks, etc.

Since the IT team can't control what you do with your personal PC or what updates and security measures you have on it, they do not want to allow your persona PC to have access to the work PC, especially something like remote desktop where it would provide very high level access to the work PC, especially if you save your password or keep the session open or something like that.

You could simply open the wrong email, or see the wrong ad on a web page on your personal PC, and then your work PC is suddenly owned by remote bad guys who could exfiltrate corporate data over the remote desktop session, use the access to get into corporate network assets and lock/encrypt, and exfiltrate them, extort the team, use the data to do any number of other bad things, and you would never know it until it is too late.

What you are asking for is reasons to override/evade a very reasonable IT policy because it causes you a very minor inconvenience. Actually I am not sure what inconvenience it causes you at all other than 'I like my way of doing it because I always did it this way'. What is the issue with simply connecting the work PC to your monitor and a second keyboard and mouse, or just using the keyboard on the work PC? If you just want it to be out of sight, then use a longer video cable and wireless keyboard and mouse. It's very easy.

I mean, in the OP I asked a question. I was not sure of the level of relative risk, and multiple people have answered the question. I am not asking to "evade" anything, I was asking if my assessment of the risk was wrong or not, and if it wasn't I was asking for some justification to bring them. They were perfectly fine with me connecting this way until I had to ask them to enable it on my new laptop and they embarrassed themselves fumbling around trying and failing to do it and then pivoted to saying it was a risk, that is part of why asked, because they'd never brought up security in the past when I told them this is how I worked at home.

These same techs also told me installing Microsoft PowerToys was a security risk, and raised a skeptical eye at me installing Python packages with Conda. I have three Ubuntu servers on our LAN, with root access, one of which is exposed to the internet to run our internal website, and they don't know anything about Linux so luckily I'm able to stay under the radar there. I'm pretty justified in being skeptical of them on these things, even if they stumbled into maybe being correct on this one. It's hard for me to overstate the level of incompetence we've dealt with from this staff for years. For some reason pro sports teams do a very poor job of finding and retaining this kind of talent, it's one of the most common complaints from my colleagues around the league in our Slack group.

I am essentially on call 24/7 and my work on nights and weekends is sporadic and unpredictable, I am constantly flipping back and forth between work and my personal machine. I have a very small home office and only room for one setup, and two monitors are crucial to productivity. My personal desktop is tucked away under my desk with the Logitech mouse dongle on the back to keep the front USB ports free for connecting drives etc. It is awfully presumptuous of you to call it "a very minor inconvenience", it is orders of magnitude more annoying and tedious to disconnect my desktop setup a dozen times over the course of a weekend to share it with my laptop, rather than simply opening or minimizing the RDP window. I mean, we have threads here all the time of people asking the best way to do exactly this because there isn't a great solution that makes it seamless, and myself and others have suggested this exact setup.

 

[hal_incandenza]

I think the big gap here is that I have not adequately described the incompetence of the existing staff, and the unique setup of how sports teams operate. This part:

You're not having to drive to the office to do work at night,

is actually not true, I do have to do that. It's happened multiple times that I have had to do so because of IT breaking something or just not knowing how to solve a problem. I work in an environment where I have to be available at all times and be able to solve any issue management might have, but I am dependent on an IT staff that is not up to the challenge. When I have to to get something done it's non-negotiable, I have gotten out of bed and gone into the office quite a few times.

You suggested you could have the company management/ownership 'shout down' the IT staff to give you what you want. That is 'evading' to me

Indeed, just because that's what we've had to do in the past to get the bare minimum of support.

I think my workplace is just sort of unique in a way that doesn't jive with the norm, and this wasn't really the right forum to ask my question. I understand that RDP has issues, it's just that our staff inspires no confidence whatsoever that they know what they are doing. We have no confidence that they are better suited to secure our network than what we could do on our own. It's a shitty situation

 

[hal_incandenza]

I get that you have to go in on occasion, my point was that having to go from using RDP to having to use the computer with a cable to your monitor is still extremely convenient compared to having to go into the office.

Are you saying they are not an outsourced team and are employed directly by the organization as full time employees? If so, why have they not been replaced with more skilled workers? When you have direct control of the employees you should be able to set performance goals/minimums and KPIs that they need to meet (department ratings, etc.) that can result in incentives for better results or replacement for underperformers. Same as team players for a sports team, if they don't excel, you trade/drop their contract. If their department head doesn't provide this kind of ongoing improvement process, then (like a failing coach) you drop that department head.

Correct, not outsourced, all direct employees. Sports teams are strange organizations. I've worked for two teams, with 6 different executive groups across the two, and IT is often just a bare minimum just enough to get things done kind of situation. They also report directly to the CFO here, who is clueless about technology. We don't have a CTO.

But the other thing about sports teams is that there are two very distinct parts of the company, the sports side and business side. We're in the same building, but literally with two basketball courts in between us. Very little interaction or overlap between the two sides, other than IT needing to support both sides. And generally speaking the sports side does our own thing. We don't have to bother with most HR formalities, we don't have a time-keeping system, we don't formally request or track PTO. And up until now, my part of the sports side, analytics, we are given a long leash to manage our own systems.

From talking to someone who knows things, what I've found out is that the CFO wants to get PCI compliant, to save on insurance and also to allow the org to do their own credit card processing. And so they are trying to do it without segmenting us off as our own thing, even though we have no access or interaction with systems over there

 

[hal_incandenza]

A lot of dumb decisions around IT comes from outside of IT.

The only post where they don't know what a ODBC driver is something I would expect from a someone on a service desk but even in that case anyone in IT should take a minute to google that first, its not that hard.

If you have a inbound public accessible linux server on the lan that IT is unaware of then that also sound like a red flag to me.

As far as RDP that is the solution you came up with, it is not the only solution. I think in this situation VDI would work the best and offer the ability for you to work on a cloud pc anywhere you have a good network whether its at home or in a office. The issue with VDI these days is cost. In the past it was very complex to implement and maintain but there are a lot of easy to use solutions out there.

But you either need to get up the IT chain to someone who knows what they are talking about or take it up the organization chain to better provide you with the resources you need enable you to do your job function. You shouldn't have to do it all on your own and trying to do all this stuff on your own could put the organization and/or yourself at serious risk if anything bad happens.

It's not that they are unaware of my Linux servers, they had to spin them up for me in VMware. It's that they only know enough to spin up the server and give me credentials, and don't seem to realize that me having root on these boxes is much more permissive than giving me an admin password for my Windows laptop so I can install ODBC drivers and update to a new version of PowerToys (and I'm certainly not going to tell them that).

I've gone up the chain, and right now the roadblock is the people who have the power and the knowledge to help me are up for contract renewal at the end of the month (as am I) and will not ruffle any feathers until that is sorted out. I'm cautiously optimistic that once we get our new deals signed, they will go to bat for me

 

[hal_incandenza]

just throwing this out there... you keep mentioning RDP for remote access, but also mention the computer is local to your house too... If that is the case, why not use the built-in windows "request remote assistance" instead? Pretty much the same exact thing as RDP except you need someone local on the machine to be able to initiate it. Since you have the computer there... that shouldn't be that big of a deal. I believe the "quick assist" app from MS in their app store can be even easier from that perspective and I believe it doesn't even need admin to install.

I am not familiar with this but will give it a try, thanks

 

[hal_incandenza]

I understand your situation and your desire to continue using RDP to connect to your work laptop from your home network. However, IT professionals are often more conservative in their approach to security issues, and their main task is to protect corporate resources from possible threats. They may be concerned that enabling RDP might present a potential vulnerability to your work environment.

To effectively argue your point of view and convince IT professionals, you should offer the following reasoning:

Point out that you are not the only employee using RDP to remotely access a work laptop, and that many organizations provide similar capabilities to their employees.

Point out that additional security measures, such as two-factor authentication or a virtual private network (VPN), can be applied between your home computer and work laptop to ensure a secure connection.

Emphasize that you understand the security risks and are willing to take extra precautions by following your company's security policy and following the advice of IT professionals.

This is the general approach I've taken, they've just been completely inflexible. Like I mentioned above, when our contract situations are sorted out my boss and I can both afford to be a little more aggressive. The organization only exists for the sake of the sports side, so up to a point we can strong arm them a bit

 

[hal_incandenza]

I do this as well and feel your pain OP. I RDP from my personal computer with a nice monitor, kb, & mouse to my underpowered work laptop. The laptop, having only 16gb of ram, can barely run my work apps. I minimize the RDP session and use my main PC for anything that requires browsing the internet. It's much faster switching this way than a KVM.

Nested RDP sessions work great as well. RDP to laptop, RDP to jump box over VPN, then RDP to server. Performance is great.

To say RDP is insecure is laughable. It's used everywhere to access Windows servers, and there haven't been any significant vulnerabilities in Windows 10. Lock down access with firewall and require 2FA to log in.

While it's not as convenient and seamless as RDP, I did find a workable solution finally. I got a new Dell Ultrasharp with a KVM built in, and the Dell software allows you to assign a keyboard shortcut to switch between computers. So far it works pretty well, the only issues I've had is sometimes when the work laptop goes to sleep the monitor will turn off, even if I'm currently using my desktop, and Windows doesn't always maintain window sizes/location when switching. For now if I know I won't be working for a little while I just unplug the USB-C from the laptop.

The one thing I'm missing is with my old setup I would sometimes run RDP on just one monitor, while playing music on the desktop on the 2nd monitor. Now everything switches over. Not a dealbreaker

 

[hal_incandenza]

I am still using the Dell but not the built in KVM. Instead I got a Logitech MX Keys and MX Master 3S, love both of them. They have easy switching between multiple devices, and then I still use the keyboard shortcut method of switching monitor inputs built into the Dell. So toggling between work/home is just one keyboard shortcut to change inputs, and then pressing a button on the keyboard and mouse.

 

[hal_incandenza]

I also no longer work at the last place, and they are flailing around with shit breaking left and right after I left. Their loss.