Re: The most simple way is not mentioned here?
We connect by rdp to the server for everything except for three people that have banking software that uploads bacs submissions.
Working from home and want to access your PC at work? The best solution may cost thousands in additional Microsoft licensing costs. In the scramble to migrate employees to home working, there are issues for businesses who normally have staff in an office working on desktop PCs, or accessing network file shares and intranet …
> If you have a corporate laptop, why bother with RDP to the desktop?
File sizes, and therefore speed. Have you ever opened an 10MB+ file in Office, Autodesk, Indesign, Photoshop (name yours) or just an Access DB (latter just as an example) over VPN? It takes aeons to open, and you end up with corrupt files way too often. Or take more complex constructions like ADDSION software or SAGE... Woah...
If you have to do a quick and secure solution, do it my way. If you have enough time to design for this, like pumping up the office internet connection, you can choose other ways.
And if you know BT, they are just like the German Telekom on that behalf: May take 6+ Month to get a bigger line.
Everything you need on the fileservers? - sure if you're just editing documents, how about the myriad of servers, networks and applications that many of us need to access daily that are blocked (quite rightly) over VPN access?
If I use my company laptop from home I'm severely limited, RDP to that laptop sat on the company network from my home machine over VPN, which is definitely as secure as my work machine, and all functionality is available to me.
RDP is interesting, if it's supported [it's likely a smaller business has HOME versions of windows, which don't allow remote-in].
There is a VERY SIMPLE solution, however:
a) VPN login to corporate network
b) VNC server running on the desktop [you'll need to log in first and leave it logged in, turn off those annoying lock screens, etc.]
BUT... if you run Linux or another POSIX operating system chances are you have OTHER things available, too, like ssh, "remote desktop" via the DISPLAY environment variable, and so on.
VNC is probably the easiest (so long as you don't lose the login on the desktop)
and when it comes to outright performance, remote X11 desktops are probably as good as (or maybe even better) than RDP...
[I do not know if there's an open source RDP server out there for windows, but there MIGHT be one for POSIX systems...)
It's also possible, on a POSIX system, to use something like 'Tiger VNC' to operate on its very own desktop. I do this a LOT to test X11 applicaitons. Run vncviewer on the main desktop, run the test applications on the tigervnc's X server with a different desktop (usually loalhost:1). There's really no reason you cannot have that secondary desktop running on a network-visible IP address, and then you just need to be able to VPN into the corporate network to access it.
> b) VNC server running on the desktop [you'll need to log in first and leave it logged in, turn off those annoying lock screens, etc.]
Run it as a service. All those VNCs offer it, and work fine even if UAC is set to the highest level - which is the only correct level.
But I prefer RDP when possible. Login is AD-Controlled (Single Sign On), and you can select which user can connect. Requires more work to do the same with VNC.
likely a smaller business has HOME versions of windows
They're already breaking their license by doing that then. The Home version is specifically for non-commercial use. (Not that most small businesses care).
Disabling RDP is one of the ways Microsoft differentiates Home vs Pro, to encourage you to buy the Pro version.
Not bad. Except if someone introduces a worm to the network that exploits an as yet undiscovered RDP bug or a variant of an existing one and your IT guys are on lockdown...you're fucked.
I've put critical web based services behind a reverse proxy, (gitlab, SVN, etc) file sharing is now proxied through a Linux box (mounted SMB group shares symlinked inside SAMBA shared folders for each group) and that box is only accessible via VPN.
Remote access to workstations is possible, but only on request if absolutely necessary.
Email and conferencing is Office365/Teams as it has been for a while.
Most importantly I have 3 encrypted off-site backups and a warm empty file server in the cloud if I need it, everything ready to go...just no data there until I restore it.
Web services are already replicated to a warm set of DC servers for failover.
All good. Everyone working just fine. Most issued with company laptops (at most 1 year old).
Don't forget security and backups guys, you might not be able to get onsite if the shit hits the fan.
That is a very poor solution. It requires the customer desktop to be up and running. not hung, rebooted or shutdown by accident. It's just about OK for a one of or a fudge for some small scale software issue such as a product that still need XP, but as a corporate business continuity strategy it should be a sacking offence.
The issue is many organizations are not set up to have a large portion of their staff work remotely. Those that already were issued laptops with the appropriate software preinstalled so using a personal computer was not required (or often not allowed). I am not sure how using a home computer would affect the licensing, it is a rather messy issue. But if Slurp, et. al. wants to really anger potential ex-customers hammer companies over licensing during this time. It is not as if the customers are trying to violate their licenses. Also, I am not sure that many courts worldwide would look kindly on what many would view as a shakedown attempt to profit on the misery of others; not exactly a winning strategy. But Silly Valley is notorious for their collective tone-deafness.
If you have 20,000 employees then setting them all up to remote work is not a small or cheap task.
Far too many on the Register comment as if 10 seats and a server with everyone an IT Expert are the norm.
Anything is possible at a small scale when a very limited number of people are in control.
TeamViewer on a non-commercial licence (cut off after 3 hours). That is the solution for my better half's remote access to her company computer.
TV must have noticed a surge in non-commercial remote connections during office hours, I wonder when the push to get money out of that will happen.
If that happens the company will probably tell her to switch to Webex or something. And her company is not short of a bob or two.
The company refused to pay for anything new (I guess that answers your question) so people started installing TeamViewer themselves to be able to work from home. I've done a deal with the devil and installed Chrome Remote Desktop as suggested above as a backup in case TeamViewer stops working.
I also looked at M360 Remote Assistant but Mac-Windows isn't possible.
Thanks for the suggestions all.
Good job I made sure we have enough CALs in place in advance then!
Not having enough hardware is a more serous issue. We've just about managed to scrape together enough kit for our desktop users if/when it's needed (not everyone is working from home yet) but we've been caught out by headsets for VOIP and online meetings. Managed to get a few 3.5mm plug ones from Amazon (assuming they're not hijacked on the way) but no USB ones to be found.
And this is why complex software licensing really is the work of the devil (one of his finest, it has to be said).
Add on the hassles of horrible fiddly and unreliable licence servers, and all the registration and activation crapola that accompanies home use licences that make end users give up the will to live, and all these companies which make things far more complicated than it really should be just to buy and use their product are sitting there wondering why FOSS alternatives are often slowly eating their lunch...
Apart from TeamViewer, there are several other applications providing remote access. I use VNC. This does not provide file transfers, which is arguably safer because any virus on the machine at one end cannot be unknowingly transferred to the other. When necessary, transferring a file can be done in several ways - email, uploading to a filesharing site, ftp etc. Works fine between Linux & Windows machines.
- free MS RDC on Google play is really great on everything including Chromebook devices.
- free MS RDC in Apple store works really well.
The free Windows version - - does everything really well (as you might expect after 17 years of upgrade) including cut/paste of files to the desktop.
We currently only use RDP for accounts / Sage, it's not supported by Sage but it works fine.
Email is all OWA as we have on premise exchange so no issues there.
Just bought some extra Screen Connect licenses and giving select users access to their office pc, not sure how that stands with MS licensing but they can take a log walk off a short pier.
Our problem is that most of our customers are not sending us the usual level of work as it's split between retail / leisure and office machine support.
Fingers crossed we get paid at the end of this month :/
Work laptop, home pc, kvm switch and two monitors.
That means work on one monitor and play videos and music on the other one. Got an incoming call from the office?Hit the kvm, space bar to pause and hit it again to get back to the work laptop. Want to play games to let off a bit of stream, emulator and a joypad. Want to do a bit of browsing add a second mouse. A damn near perfect setup in my opinion. It worked for me for nearly 13 years.
As for these issues couldn't you use something like TightVNC to get round licensing?
If I've got to choose between the Corona virus & a Windows VD, I'll pick the Corona as it only might kill me rather than give me a MS STD...
I'll get my coat, it's got the bottles of Corona in one pocket & the limes in the other.
It's IT related I swear! We're talking about beer aren't we?
*Pure, Sweet, & Innocent Grin(TM)*
It's not the licensing for me. I'd not put an RDP-Gateway on the Internet without additional stuff before that. Either require VPN, or set up a reverse proxy which does Auth before connecting to the RDP-Gateway. I'd choose a method where an internet café connection is not possible.
open listening ports for RDP or VNC are a _BAD_ idea, encrypted or otherwise.
best to use an end-end enrypted VPN, and all access to the corporate network (including remote desktops) is through THAT alone. With some creative firewalling, you could prevent normal network access via the VPN, and only allow the remote desktop-ing.
Requiring a VPN connection instead of (prior to RDP) really isn't fixing anything much security-wise, it's just moving the point of attack slightly. Rather than attack an RDP connection malware attacks a VPN connection instead. VPN servers are probably updated even less often than RDP servers.
>it's just moving the point of attack slightly.
But it is a useful move for Internet facing services.
It also changes the attack. With a MS RDS Server directly visible on the Internet, you are enabling the full range of RDP/RDS exploits to be tried directly against a live server. The addition of a VPN gateway, means an attacker has to mount a (successful) VPN attack before they gain access to the RDS server.
Setting aside the fact that response by the UK government, and some elsewhere, to the viral outbreak has been directed by ill-placed emotion (largely fuelled by MSM), panic (again MSM), and unsound advice (mathematical modellers usurping consolidated experience among public health practitioners and 'hands-on' infectious disease academics), this manufactured 'crisis' must not be permitted to allow consideration of so-called 'intellectual property' (IP) rights get in the way of sensible behaviour.
Governments, those not entirely in thrall to rentier interests, either posses or can concoct legislation enabling suspension (even negation) of IP rights when well-being of the general public merits it. In this instance, governments could prevent IP 'owners' from seeking damages/payment for infringing activities within their legal jurisdictions during the emergency.
Not just Microsoft should thus be dealt with but also a host of others. Patents relating to drugs and health technologies must not stand in the way of preventative measures and remedies. It should be permitted to ignore the egregious copyright attached to academic literature. Also, with large segments of populations confined to their homes it would be prudent to keep them entertained and one helpful measure would be an officially sanctioned blind-eye to copyright infringement relating to film, audio, and TV shows.
Incorrigibly avaricious among IP rentiers would squeal like stuck pigs (porcine analogy being appropriate). The more sensible, both through genuine concern over public well-being and preservation of brand image, would not require prompting by governments.
For instance, in the UK, Premier League matches are immensely popular; fans are charged exorbitant sums either through direct subscription or indirectly via what is in effect a surcharge on the price of beer and on products from 'sponsors' of the League. There are increasing efforts to stamp out unofficial live streaming of matches but success is limited.
Consider the following scenario. The Premier League along with other producers of popular televised sporting products could announce free access to live streams, some perhaps going through unofficial sources like Kodi add-ons, for the duration of the crisis. Matches, tournaments, and athletics competitions, could take place in stadia devoid of live audiences. Similar considerations apply to other manifestations of mass entertainment. A potentially restless population, particularly younger folk and school children (a low risk group foolishly being denied education), could be dissuaded from mischief arising from boredom.
Tears need not be shed for any rentiers (whether of patents or copyright). They would be 'doing their bit', possibly under duress. IP dependent industries accumulate considerable bulk of (porcine) fat; this acquired through monopoly protected price-gouging all along a chain of middlemen from producer to end recipient. Indeed, dissemination of digitally encoded entertainment, and information in general, no longer requires the plethora of intermediaries accumulated during the analogue era. Meanwhile, during the wailing and gnashing of teeth by purveyors of trivial 'content' there are previously solid companies, large and small, facing ruin and many (those without backbench MPs and government minsters in their pockets) unlikely to be bailed-out. Similarly, the pharmaceutical industry whilst promulgating lies about its price gouging being necessary for supporting R&D (basic research mostly takes place elsewhere and generally using public or charitable funding whereas development - testing of medicinal products - is given a hidden subsidy through access to NHS facilities) would benefit from shake-up arising from the current 'crisis'.
We have a government that barely concealed its neo-liberal agenda. Present circumstances, particularly potential economic collapse triggered by inept handling of the epidemic, have forced grudging admission of existence of 'society', this disavowed by the late Mrs Thatcher, and recognition of communal inter-dependence. Remarkably, the USA, adopted home of the late Ayn Rand, may be following suit
Biting the hand that feeds IT © 1998–2021