While this will be clear from my question - I am no system admin, I am an accountant.
Essentially, I have recently had an additional site added to my responsibility and I need to be able to access their back office system remotely. The business does not have any IT provider - so I am on my own.
As I see it, I have the option of either:
- Configure a system running the back office software that I access via RDP w/ a VPN or;
- Configure a system running the back office software that I access via Splashtop / Teamviewer etc.
To me 1 seems to be the more secure way of doing what I need, I just don’t know how to do it. Option 2 feels like a cheat, especially since I will be spending a good junk of time each day connected to the remote system.
Am I overthinking it and should just take the simple option of 2?
My rules are simple: only company controlled devices can VPN, otherwise it’s Splashtop.
In your case it sounds like you’d meet my test but I’d still go with Splashtop. You’d be keeping all the data and processing on the remote site. So would RDP but I think it adds a little complexity.
Please engage with your IT provider, you need to consider security, bandwidth, user rights and a bunch of other stuff, you already pay professionals to do professional work in their field so let them do it.
I can do accounting easily enough, but I don’t know what I don’t know, which leads to mistakes, you have seen this before I’m sure, this is the same issue but you are the one who doesn’t know what they don’t know.
Please don’t take shortcuts or void security because you think you know better, you can cause serious issues around you.
What is your main purpose? Supporting these computers or accessing to them from time to time? If it’s support, screenconnect or teamviewer will do the job. If you access to them once in a while, either one is fine but for better user experience I’d go for RDP with VPN.
You need IT or become IT. Pick your poison.
Not the answer you are looking for, but there should be an msp in play here.
Not the ideal position you are in. But this is the right sub. If you get all no’s, get something that has MFA required to connect you in
#1 is maybe more secure, if you are 100% sure how you have it setup is secure. What will you use for VPN and MFA.
#2 can be done in 20 minutes, plus gives you MFA and reports and ease of use (we have serveral accounting firms using Splashtop becuase the can use their tax programs over a VPN).
Either solution, good bandwidth is your friend.
No way is 1 more secure - 2 is by far the most secure.
VPNs are constantly requiring updates and patching, Fortinet one of the most popular VPNs on earth is regularly breached, and RDP is how most ransomware is moved laterally after a breach at the perimeter.
Splashtop is the only answer here. It doesnt require any VPN, so is hacker proof, it uses very high levels of multifactor authentication and logging.
Dont use Teamviewer - its again standard client used by hackers, so they are more familiar with it, than with Splashtop which is much more of a business focussed tool and has much better security.
There is no IT provider for this site. Don’t ask me why not.
I agree that VPNs are typically an entry point. They tend to be the openssl rewrite, wrappers or crypto from scratch that have the most problems.
If the vpn box exists in a dmz with strict rules it’s much more trustworthy than running infrastructure on other people’s computers ie splash top or otherwise. I’m also a believer of internal segmentation using per segment/department firewall devices.
Just my two cents
I’m on a path to remove the client VPN and the DMZ entirely, also the WAN the LAN and passwords.
Splashtop is one of the tools that helps us get there.
I’m done with entry points, that castle/moat strategy gives a false sense of security for me. Every security audit I’ve ever seen for a company repeats the standard way of doing things which is hard at the edge, soft on the inside.
So we will deliver up VMs on prem via Splashtop, Azure AVDs via Microsoft Apps, turn every office location into an Internet only site for managed endpoints and keep networks inside the data centre.
You have the same problem you’ve only moved it onto other people’s hardware with no insight and at a premium.
Not at all - I didn’t say it was BYOD.
It’s our computers, managed with Intune/Autopilot with no local admin rights and Fido keys and Windows Hello for Business for authentication and monitored with Defender for Endpoint.
The users access O365 via Internet or virtual desktops/apps via Azure Virtual Desktop or Splashtop to on-prem virtual machines.
They don’t need VPN or a LAN/WAN