Remote access for staff

[Ros Lee]

Wondering what, if any, remote access you are providing to teachers in the wake of the recent ransomware attacks and if so, by what mechanism.

Thanks

Ros Lee

[Alistair Baird]

This is actually two separate questions.

1) For remote access, we use the N4L client which you need to for the latest Mac OS Sierra.

2) For protection against ransomware, keeping machines up to date (the patch was well advertised for Windows machines) as well as up to date antivirus (we use Eset) educating users (educating teachers ?) about not clicking on links in unsolicited/suspicious emails, and backing up data to non-connected backups (I have a NAS device on a simple 24hr timer - it turns on for the overnight backups, then off during the day when users are active).

This email and any attachments contain confidential information which may be subject to legal privilege. If you are not the intended recipient you must not use, disclose, copy or distribute this email or information in it. If it has been received in error please notify us immediately by return email and then delete/destroy the message. This email is not necessarily the official view or communication of Otumoetai College.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 482 937

e bai...@stpeterspn.school.nz

[Simon Wright]

Ros are you asking because you're not using a secure connection for remote access currently, i.e. an open port on the firewall for RDP access? just trying to figure what the tie in is with "recent ransomware attacks".

For the past 4 years we have been using Microsoft DirectAccess which is a server role as part of windows server. It works best with windows 10 as 7 has some issues, should be fine with 8.

Basically it creates a secure connection to the network seamlessly in the background when it detects that your computer is no longer on the local network. You get full access as if your were on the local network, albeit a little slower (depending on your internet connection).

Its all managed through group policy and works really well.

Of course this only works with Windows computers running enterprise edition. I believe there are third party apps which extend DirectAccess to work for home and pro as well as MacOS.

If your using N4L, i believe they have a VPN solution. Most router/firewall vendors generally have IPSec VPN capability.

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

On 12 July 2017 at 13:20, Ros Lee <rl...@otc.school.nz> wrote:

This email and any attachments contain confidential information which may be subject to legal privilege. If you are not the intended recipient you must not use, disclose, copy or distribute this email or information in it. If it has been received in error please notify us immediately by return email and then delete/destroy the message. This email is not necessarily the official view or communication of Otumoetai College.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.

[Craig Knights]

We are using N4L's F5 BIG IP VPN.  It works well.

On Wed, Jul 12, 2017 at 1:37 PM, Simon Wright <simon....@obhs.school.nz> wrote:

Ros are you asking because you're not using a secure connection for remote access currently, i.e. an open port on the firewall for RDP access? just trying to figure what the tie in is with "recent ransomware attacks".

For the past 4 years we have been using Microsoft DirectAccess which is a server role as part of windows server. It works best with windows 10 as 7 has some issues, should be fine with 8.

Basically it creates a secure connection to the network seamlessly in the background when it detects that your computer is no longer on the local network. You get full access as if your were on the local network, albeit a little slower (depending on your internet connection).

Its all managed through group policy and works really well.

Of course this only works with Windows computers running enterprise edition. I believe there are third party apps which extend DirectAccess to work for home and pro as well as MacOS.

If your using N4L, i believe they have a VPN solution. Most router/firewall vendors generally have IPSec VPN capability.

Regards
Simon Wright
ICT Manager

Best for boys through the right learning
2 Arthur Street, Dunedin, 9016, New Zealand p: 03 477 5527 | f: 03 477 5468 | c: 021 773 229 | w: obhs.school.nz

Respect - Whakaute | Courage - Toa | Honour - Hōnore | Perseverance - Manawanui | Excellence - Hiranga

On 12 July 2017 at 13:20, Ros Lee <rl...@otc.school.nz> wrote:

Wondering what, if any, remote access you are providing to teachers in the wake of the recent ransomware attacks and if so, by what mechanism.

Thanks

Ros Lee

This email and any attachments contain confidential information which may be subject to legal privilege. If you are not the intended recipient you must not use, disclose, copy or distribute this email or information in it. If it has been received in error please notify us immediately by return email and then delete/destroy the message. This email is not necessarily the official view or communication of Otumoetai College.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-schools+unsubscribe...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Clayton Hubbard]

HI All,

We have some information on our website regarding our N4L Remote Access solution if you interested. (https://www.n4l.co.nz/managed-network/remote-access/)

Technically we use Spark's Hosted F5 Solution as Craig Mentioned, and we build a tunnel into the school. We open the firewall rules to only allow the F5 solution which adds the benefit of no Internal servers having exposure to the Internet.

Let me know if you have any questions or flick an email to N4L on sup...@n4l.co.nz

Clayton Hubbard

Solution Architect

The Network for Learning Ltd

M +64 22 043 0155  DDI +64 9 972 2906  P 0800 LEARNING

A Suite 306, Geyser Building, 100 Parnell Road, Parnell, Auckland 1052

A PO Box 37118, Parnell, Auckland 1151  n4l.co.nz

[Craig Knights]

One interesting exercise I did a year, maybe two ago was ask for a list of firewall rules to review.

Unfortunately there were a number of mistakes / typos / misunderstanding / first goes in there.  Often with another entry that was correct lower down in the list.  I think these were from when firewall jobs were passed on to Spark, but I think they're done more internally now?

There were also some old rules that really did not need to be there anymore. e.g an internal static IP that used to be for the video conferencing unit that I had reused for a label printer, and was getting played with by Russians as it had an open NAT rule.

Just something worth doing.

thanks,

Craig

[Alistair Baird]

"was getting played with by Russians "

Might have been Trump !

[Ros Lee]

Thanks for your replies.  Sorry for not being clear.  I am linking the two together because we turned off RDP after WannaCry in preference for the N4L solution but it seems there are some holdups at their (or Spark's) end and I am wondering what other options are out there that we could implement more quickly to lower stress levels (teachers, not ours)  :-).  

[Julian Davison]

OpenVPN is the quickest to deploy, without great thought. Partly 'cause it doesn't have to deeply integrate with anything.

This email and any attachments contain confidential information which may be subject to legal privilege. If you are not the intended recipient you must not use, disclose, copy or distribute this email or information in it. If it has been received in error please notify us immediately by return email and then delete/destroy the message. This email is not necessarily the official view or communication of Otumoetai College.

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.

[Blake Richardson]

We use VPN which we setup for the staff, they have to enter their password every time they connect and they have no idea what the shared secret is.