New restrictions on RDP connections into Earth Sciences start October 28, 2013.
Last revision December 11, 2013 to remove references to SUNAC
logins - no longer needed.
Firewall rules for the Earth Sciences wired computer network were changed on Monday, October 28, 2013, to more carefully restrict remote logins into Windows computers that are left running in offices and labs.
Starting October 28, you must login to the Stanford Virtual Private Network (VPN) first each time you start a Remote Desktop Protocol (RDP) connection into a Windows computer on the Earth Sciences wired network from anywhere outside that network. In addition, you will need to get your SUNet ID onto an RDP authorization list. See the description at the end of this note for the scope of the Earth Sciences wired network. This note describes why and how this will be done.
Who is affected?
This change will affect you if:
You want to remotely login to your Earth Sciences office or lab desktop Windows PC from your personal computer at home or in the residence halls.
- You are using a computer in another department on campus (for example, Biology) to login to a desktop Windows PC in Earth Sciences.
- You are connecting from your wireless laptop in your office to your desktop Windows PC in your Earth Sciences lab. The wireless networks are not part of the Earth Sciences wired network.
This change does not affect you if:
- You never use Windows computers.
- You never make Remote Desktop logins to a Windows computer.
- You only make remote logins from one wired computer to another wired computer on the Earth Sciences network (neither one using wireless network), such as from office to lab.
Why is this needed?
The recent compromise of some university servers in July that required everyone to change their SUNet password is a wake-up call to take more steps to secure the Earth Sciences computer network. We need to limit the ability of hackers to probe our network from outside. We are targeting RDP connections first because they give complete control of Windows PCs, which are the primary targets of hackers. Additional security restrictions for other services will be implemented in the future.
The existing firewall rules for RDP connections into computers on the Earth Sciences wired network are fairly loose: connections can come from any other computer anywhere on campus without restriction, and from anywhere off-campus using the simple Stanford VPN. The problem is that this simple firewall rule allows any SUNet ID to probe our network directly from another on-campus machine or to probe remotely using the Stanford VPN. If a random SUNet ID - for example, an affiliate in a business unit - is compromised by hackers, that ID can be used remotely by the hacker to try to break into all Windows PCs on the Earth Sciences wired network using the RDP protocol.
A new access control technology supported by IT Services called Stanford University Network Access Control (SUNAC) adds another fine-grained layer of access control on top of the VPN. We can create workgroups listing specific SUNet IDs that are allowed to connect through the VPN to services on our network. This way, only the people in Earth Sciences who actually need access will be able to get into our network, rather than all 50,000 active SUNet IDs.
How do I make RDP connections into Earth Sciences after October 28?
Our first use of SUNAC will be to limit access from outside the Earth Sciences network to the Remote Desktop Protocol that allows remote control of Windows computers, starting on October 28. You need to complete the following two steps if you want to use RDP from outside Earth Sciences to connect to Windows PCs on the Earth Sciences wired network.
You need to get your SUNet ID on the list of authorized RDP users. The Energy Resources Engineering department widely uses RDP so they are maintaining the list of their people who need RDP access. If you are in any other department or program in Earth Sciences and need RDP access into a Windows computer on the Earth Sciences network, please send a note to your Earth Sciences Network Team with your name, SUNet ID, and department or program name. If your SUNet ID is not on the list when the rule is changed on October 28, you can still login to the Stanford VPN but you won't be able to complete RDP connections to machines on the Earth Sciences wired network. Of course, we can add people to the list at any time. Check this web page to see if you are on the authorized list.
Every time you want to make an RDP connection from outside the Earth Sciences network after October 28, you must first login to the Stanford VPN. The network firewall will then check that the SUNet ID you used to connect to the Stanford VPN is on the authorized list for RDP connections. If not, you will get an "operation failed" error message when you attempt your RDP connection.
If you need help installing or configuring the Stanford VPN, make your request in the HelpSU system (725-HELP or helpsu.stanford.edu).
Send all questions and comments about the change in the firewall rule to your Earth Sciences Network Team.
The Earth Sciences wired network includes the Mitchell Earth Sciences Building (excluding the Branner Library), Braun Geology Corner, and Green Earth Sciences Building. Computers that are registered on the network and physically plugged in to an active data jack (an orange jack with a green dot next to it) on a Telecommunication Service Outlet (TSO) in one of those buildings are part of the Earth Sciences network. Those computers will have an IP address in the range of 22.214.171.124 through 126.96.36.199.
The Stanford wireless network is not part of the Earth Sciences wired network. This includes devices that connect wirelessly while they are within an Earth Sciences buildings. They are treated as out-of-network and their connections to devices on the wired Earth Sciences network go through the Earth Sciences firewall. Getting on the RDP authorization list and logging into the Stanford VPN will be required for RDP connections into the Earth Sciences network from these wireless devices.
We have a few groups that are situated in the Y2E2 building. Those devices will be treated as out-of-network devices. RDP connections from Y2E2 to the wired Earth Sciences network will require getting on the RDP authorization list and using the Stanford VPN.