remote access best practices - western cpe

Remote Access Best Practices Randy Johnston, M.C.S.

Course # 2164592, Version 2004, 2 CPE Credits

Course CPE Information

i


Course Expiration Date Per AICPA and NASBA Standards (S9-06), QAS Self-Study courses must include an expiration date that is no longer than one year from the date of purchase or enrollment.

Field of Study Computer Software & Applications. Some state boards may count credits under different categories—check with your state board for more information.

Course Level Overview.

Prerequisites There are no prerequisites.

Advance Preparation None.

Course Description A growing number of employees want to be able to work from anywhere, anytime, and on any device. This is one of the marketing messages of public cloud hosting providers, but internal networks can provide the same style of remote access by using Citrix, virtual desktop infrastructure, or remote desktop services. In this session, you'll learn the techniques that will give your users the best experience utilizing technology you currently have and find out what you should consider for future upgrades.

Course content and learning objectives © Copyright K2 Enterprises, LLC 2016, Reviewed 2020Review questions and final exam © Copyright Western CPE 2016, Reviewed 2020

Publication/Revision Date April 2020


ii

Instructional Design

This Self-Study course is designed to lead you through a learning process using instructional methods that will help you achieve the stated learning objectives. You will be provided with course objectives and presented with comprehensive information and facts demonstrated in exhibits and/or case studies. Review questions will allow you to check your understanding of the material, and a qualified assessment will test your mastery of the course.

Please familiarize yourself with the following instructional features to ensure your success in achieving the learning objectives.

Course CPE Information The preceding section, “Course CPE Information,” details important information regarding CPE. If you skipped over that section, please go back and review the information now to ensure you are prepared to complete this course successfully.

Table of Contents The table of contents allows you to quickly navigate to specific sections of the course.

Learning Objectives and Content Learning objectives clearly define the knowledge, skills, or abilities you will gain by completing the course. Throughout the course content, you will find various instructional methods to help you achieve the learning objectives, such as examples, case studies, charts, diagrams, and explanations. Please pay special attention to these instructional methods, as they will help you achieve the stated learning objectives.

Review Questions The review questions accompanying this course are designed to assist you in achieving the course learning objectives. The review section is not graded; do not submit it in place of your qualified assessment. While completing the review questions, it may be helpful to study any unfamiliar terms in the glossary in addition to course content. After completing the review questions, proceed to the review question answers and rationales.

Review Question Answers and Rationales Review question answer choices are accompanied by unique, logical reasoning (rationales) as to why an answer is correct or incorrect. Evaluative feedback to incorrect responses and reinforcement feedback to correct responses are both provided.

Glossary The glossary defines key terms. Please review the definition of any words you are not familiar with.

Index The index allows you to quickly locate key terms or concepts as you progress through the instructional material.


iii

Qualified AssessmentQualified assessments measure (1) the extent to which the learning objectives have been met and (2) that you have gained the knowledge, skills, or abilities clearly defined by the learning objectives for each section of the course. Unless otherwise noted, you are required to earn a minimum score of 70% to pass a course. If you do not pass on your first attempt, please review the learning objectives, instructional materials, and review questions and answers before attempting to retake the qualified assessment to ensure all learning objectives have been successfully completed.

Answer Sheet Feel free to fill the Answer Sheet out as you go over the course. To enter your answers online, follow these steps:

1. Go to www.westerncpe.com.2. Log in with your username and password.3. At the top right side of your screen, hover over “My Account” and click “My CPE.” 4. Click on the big orange button that says “View All Courses.” 5. Click on the appropriate course title. 6. Click on the blue wording that says “Qualified Assessment.” 7. Click on “Attempt assessment now.”

Evaluation Upon successful completion of your online assessment, we ask that you complete an online course evaluation. Your feedback is a vital component in our future course development.

Western CPE Self-Study 243 Pegasus Drive

Bozeman, MT 59718 Phone: (800) 822-4194

Fax: (206) 774-1285 Email: [email protected] Website: www.westerncpe.com

Notice: This publication is designed to provide accurate information in regard to the subject matter covered. It is sold with the understanding that neither the author, the publisher, nor any other individual involved in its distribution is engaged in rendering legal, accounting, or other professional advice and assumes no liability in connection with its use. Because regulations, laws, and other professional guidance are constantly changing, a professional should be consulted should you require legal or other expert advice. Information is current at the time of printing

http://www.westerncpe.com/

Table of Contents

iv

Table of Contents

Remote Access Best Practices .............................................................................................. 0:00:00 What About Randy? .............................................................................................................. 0:00:21 Pictures .................................................................................................................................. 0:00:53 What About NMGI? ............................................................................................................. 0:01:25 About K2 Enterprises ............................................................................................................ 0:02:01 K2 Enterprises Websites ....................................................................................................... 0:02:18 Session Description ............................................................................................................... 0:02:35 Learning Objectives .............................................................................................................. 0:03:38 Five Variants of Remote Access ........................................................................................... 0:04:08 Key Methods of Remote Access ........................................................................................... 0:05:14 Browser-Based Options 1 ..................................................................................................... 0:06:05 Browser-Based Options 2 ..................................................................................................... 0:06:52 Browser-Based Options 3 ..................................................................................................... 0:09:23 Virtual Private Networks ...................................................................................................... 0:12:20 Client-Based VPN 1 .............................................................................................................. 0:13:55 Client-Based VPN 2 .............................................................................................................. 0:18:14 What is MyQuickCloud? ...................................................................................................... 0:21:43 Self Hosting by MyQuickCloud ........................................................................................... 0:22:25 My QuickCloud .................................................................................................................... 0:23:10 My QuickCloud Menus 1...................................................................................................... 0:23:33 My QuickCloud Menus 2...................................................................................................... 0:23:54 My QuickCloud Menus 3...................................................................................................... 0:24:07 Security ................................................................................................................................. 0:24:27 Remote Desktop Services: Remote Apps and Remote Desktops ......................................... 0:24:50 Remote Desktop Services ..................................................................................................... 0:26:06 RDS in a Nutshell ................................................................................................................. 0:27:43 RDS Example........................................................................................................................ 0:31:19 Citrix XenApp ....................................................................................................................... 0:31:55 Speeds and Feeds .................................................................................................................. 0:35:24 Virtual Desktop Infrastructure 1 ........................................................................................... 0:41:11 Virtual Desktop Infrastructure 2 ........................................................................................... 0:41:36 Which Is Virtualization? ....................................................................................................... 0:43:18 Traditional Servers—Without Virtualization ....................................................................... 0:44:33 The VMware ESX Server Hypervisor on Two Physical Servers Does the Same Work as 8-12 Physical Servers .................................................................................................................... 0:44:54 Adding a New VMware Host 1 ............................................................................................ 0:45:12 Adding a New VMware Host 2 ............................................................................................ 0:45:17 Adding a New VMware Host 3 ............................................................................................ 0:45:24 Zero Downtime with VMotion 1 .......................................................................................... 0:45:35 Zero Downtime with VMotion 2 .......................................................................................... 0:46:03 Zero Downtime with VMotion 3 .......................................................................................... 0:46:08 Zero Downtime with VMotion 4 .......................................................................................... 0:46:15 Zero Downtime with VMotion 5 .......................................................................................... 0:46:24 VDI with VMware ................................................................................................................ 0:46:46

Table of Contents

v

Remote Desktop Services vs. Virtual Desktop Infrastructure .............................................. 0:58:11 RDS vs. VDI ......................................................................................................................... 0:59:50 XenApp vs Citrix XenDesktop ............................................................................................. 1:00:43 Performance, Cost, Compatibility, Usability Strengths and Weaknesses ............................ 1:01:49 Strengths and Weaknesses 1 ................................................................................................. 1:01:59 Strengths and Weaknesses 2 ................................................................................................. 1:02:45 Strengths and Weaknesses 3 ................................................................................................. 1:03:04 Strengths and Weaknesses 4 ................................................................................................. 1:03:41 Strengths and Weaknesses 5 ................................................................................................. 1:05:10 How Do I Choose? ................................................................................................................ 1:06:04 Comparison of Remote Access Options ............................................................................... 1:07:24 What’s Most Important ......................................................................................................... 1:08:30 Hardware, Software, Licensing, and Deployment – Technical Considerations ................... 1:09:13 Technical Considerations ...................................................................................................... 1:09:43 Storage Considerations ......................................................................................................... 1:13:29 IOPs—Examples of IOPs Speeds ......................................................................................... 1:14:12 Concerns ............................................................................................................................... 1:18:49 Dozens of Right Ways to Implement Technology, Hundreds of Wrong Ways .................... 1:19:14 Sizing Technology—Minimally Acceptable, Stronger Is Better ......................................... 1:19:42 Technology Cookbook .......................................................................................................... 1:19:58 Anti-Virus, Firewalls, Security Policies Security Considerations ........................................ 1:20:21 Security Risks 1 .................................................................................................................... 1:21:07 Security Risks 2 .................................................................................................................... 1:21:49 Security Risks 3 .................................................................................................................... 1:20:33 So How Do I Mitigate These Risks?..................................................................................... 1:23:10 Mitigating Risks—Identifying the Risk 1 ............................................................................. 1:24:13 Mitigating Risks—Identifying the Risk 2 ............................................................................. 1:24:49 Mitigating Risks—Determining Acceptable Risk ................................................................ 1:25:40 Mitigating Risks—Implementing the New Plan ................................................................... 1:26:04 Key Items To Consider – Security Guidance ....................................................................... 1:26:39 Security ................................................................................................................................. 1:26:40 Antivirus Software ................................................................................................................ 1:28:25 Password Managers .............................................................................................................. 1:28:53 Needed No Matter What Solution......................................................................................... 1:29:42 Firewall ................................................................................................................................. 1:30:18 Communication Lines (Best to Worst) ................................................................................. 1:31:02 Considerations for Proper Protection: Mobile Device Management .................................... 1:32:37 Why Do Organizations Need to Manage Mobile Devices? .................................................. 1:32:48 What Are We Trying to Control? ......................................................................................... 1:33:36 Application Installation ......................................................................................................... 1:33:50 Data Access ........................................................................................................................... 1:34:16 Device Security ..................................................................................................................... 1:35:07 Connectivity to Corporate Resources ................................................................................... 1:35:44 Kill Switch Legislation for Smartphones .............................................................................. 1:36:42 Device Tracking .................................................................................................................... 1:37:08 What Types of Devices Should Be Included? ...................................................................... 1:37:34

http://en.wikipedia.org/wiki/IOPS

Table of Contents

vi

Mobile Devices to Control .................................................................................................... 1:37:53 How Organizations Create an Effective Mobile Device Policy 1 ........................................ 1:38:04 How Organizations Create an Effective Mobile Device Policy 2 ........................................ 1:38:27 Create and Implement Appropriate Controls ........................................................................ 1:38:49 Mobile Device Policies ......................................................................................................... 1:39:25 Policy Enforcement Tools..................................................................................................... 1:40:31 Security Functionality Built into Mobile Technology .......................................................... 1:40:48 Security Configuration Tools ................................................................................................ 1:41:07 Microsoft Exchange Mobile Device Mailbox Polices .......................................................... 1:41:28 Android for Work ................................................................................................................. 1:41:56 Android for Work ................................................................................................................. 1:42:06 Mobile Device Management Software ................................................................................. 1:42:16 What Mobile Device Management Applications Offer 1 ..................................................... 1:43:04 What Mobile Device Management Applications Offer 2 ..................................................... 1:43:21 Device Security Software ..................................................................................................... 1:43:47 Summary 1 ............................................................................................................................ 1:44:58 Summary 2 ............................................................................................................................ 1:47:39 Thank you for being here!..................................................................................................... 1:48:55

Learning Objectives

1

Learning Objectives

Upon successful completion of this course, you will be able to: • Identify key methods of remote access, noting the characteristics of each, security risks,

strengths, and weaknesses• Recognize the various technical aspects and security considerations of configuring a

remote environment, noting the best software options to identify and mitigate risk• Identify policies and best practices for mobile device management relating to application

installation, data access, device security, connectivity to corporate resources, and devicetracking

Copyright © 2016 K2 Enterprises, LLC. Reproduction or reuse for purposes other than a K2 Enterprises’ training event is prohibited.

Remote Access Best Practices

Randy Johnston, M.C.S.CEO, Network Management Group, Inc.

Exec VP, K2 Enterprises


What About Randy?

• Inducted Accounting Hall of Fame, February 2011• 2004–2015 Accounting Today 100 Most Influential in Accounting

for twelve years• Top 25 Thought Leader 2011‐2016• 40‐plus years of technology experience• Author of articles on technology, including a monthly column in

CPAPractice Advisor• Top rated speaker for over 30 years• Author of six books• From Hutchinson, KS• [email protected] or [email protected]• 620‐664‐6000 x 112

2

2


3


What About NMGI?

• CRN top 100 technology company• MSPMentor top 100 company• NetCare: National CPA support services• NetRescue and NetStore: Backup appliances and web‐based backup

• Boutique technology and business continuity consulting: CPA firm technology assessments, paperless, accounting software selection (ERP, BI, HR, SaaS, CRM)

• WebCare and netHosting: custom website and cloud services

4

3


About K2 Enterprises

• Provides live and on‐demand continuing professional education (CPE) in 48 U.S. states and in Canada

• Largest provider of technology‐focused CPE for accountants and financial professionals in North America

• Services offered:– Live, in‐person presentations (conferences and seminars)– Webinars– On‐site training – On‐demand self‐study materials

• www.k2e.com for more information

5


K2 Enterprises Websites

• www.k2e.com ‐ CPE info

• www.CPAFirmTech.com – CPA firm info

• www.AccountingSoftwareWorld.com – Accounting software info

• www.TotallyPaperless.com – Paperless info

• https://www.youtube.com/user/K2Enterprises ‐ The K2 Enterprises YouTube channel with over 160 free technology training videos

6

4


Session Description

Team members want to be able to work from anywhere, anytime on any device. This is one of the marketing messages of public Cloud hosting providers. Internal networks can provide the same style of remote access by using Citrix, virtual desktop infrastructure, or remote desktop services.

In this session, you will learn the techniques that will give your users the best experience using what you currently have, and what you should consider for future upgrades.

7


Learning Objectives

• List key considerations when configuring Citrix, VDI, or RDS

• Identify how to implement procedures to secure mobile devices

• Identify how to secure your network edge from potential threats associated with remote access

8

5


Five Variants of Remote Access

Web Based

VPN

Remote Access to Desktop

Citrix/ Virtualized Applications

Virtualized Desktops (VDI)

Cloud is at the Core

9


Key Methods of Remote Access

• Browser‐based options (i.e., LogMeIn, GoToMyPC, etc.)• Client‐based VPN (i.e., SonicWALL, Cisco, etc.)• Microsoft Windows Server

– Remote app– Remote desktop services (formally terminal services)

• Citrix XenApp– Published apps– Published desktops

• Citrix XenDesktop• VMware View

DIY

VPN

RemoteApp & RemoteDesktopon Server

VirtualDesktopInfrastructure

10

6


Browser‐Based Options

Simple, DIY Technology

11



• This method depends on an agent to be installed on the respective device and is accessed through a web browser to remotely access the device

• Key players in this field are LogMeIn, GoToMyPC, TeamViewer, as well as several others

• Naturally, this requires the remote computer to be on and accessible (not in sleep or hibernation mode)

• Remote computer can run a desktop OS or a server OS, but these tools will not permit a local user and a remote user to do different things on the PC at the same time (single interactive session)– They can watch one another work in real time and upload/download files

12

7



• Security is entirely up to the end‐user—but is monitored by the provider at some level– Weak or duplicated passwords equals weak security

– Still need antivirus on these machines

• Monthly plans available for single/multiple users, persistent client installed and runs 24x7x365

• Some opt to use GoToAssist or other services to connect only as needed with assistance from on‐site user

• New offering for public practice CPAs—Citrix ShareConnect

13


Virtual Private Networks

Secure Servers and Data(Behind Firewall) The “forcefield” or “shield” around

the remote user is the encryption tunnel created by the VPN, which blockscommunication with anyone other thanthe VPN host servers/private cloud

VPN Tunnel Extends Firewall to Cover Remote Users

14

8


Client‐Based VPN

• Client‐based VPN is a direct connection to the internal network from an external device via a VPN client

• Uses an encryption algorithm such as AES or DES to secure the connection to the end device, typically the firewall/UTM

• Once connected, the user is able to access network resources as if they were inside the network

• Multi‐user QuickBooks: MyQuickCloud, Pertino• Clientless options such as a PPTP server or SSL VPN are also available– They fundamentally will yield the same result

15


Client‐Based VPN

Three most common types of VPNs1. IPSEC: Most secure, most difficult to configure

• Requires client installation, password, and/or certificate installation

• Many public networks (Starbucks, hotels, etc.) may block IPSEC VPN traffic

2. SSL: Easier to set up, less secure than IPSEC VPN • Fewer devices require a client app and some mobile devices do not support

• Dell SonicWALL has SSL VPN on their firewalls or dedicated SSL VPN appliances to provide remote connectivity

3. PPTP: Easiest to set up, least secure option • Built into Windows

16

9


What Is MyQuickCloud?

MyQuickCloud enables you to work on programs based on a PC at the same time as your clients or employees, without

disrupting anyone’s session.

17


Self Hosting by MyQuickCloud

• Make use of your existing multi‐user license by working with your clients on the same company file, at the same time, from anywhere, using your current hardware and setup

• MyQuickCloud allows you and your clients/employees to work in real time, with all data files remaining on the host PC

• All data, screens, and input are encrypted in transit using 128 bit AES encryption over SSL/TLS encrypted connection

• Connect out to client PCs or allow clients to access your host computer

• Access printers either from your remote location or print to a printer attached to the host PC

18

10


My QuickCloudFrom your MyQuickCloud dashboard, you can access programs based on the “host” computers either by clicking on a single

application or accessing in virtual desktop mode.

19


My QuickCloud Menus

As the MyQuickCloud administrator, you have the ability to easily create users and edit usernames and passwords without contacting support.

20

11


My QuickCloud Menus

Share any program on the host PC and assign permission to access them easily with the users you’ve created.

Anyone Can Self‐Host and Share Programs

21


My QuickCloud Menus

You can have multiple hosts, so if you’re working with multiple clients, you can access them all from your MyQuickCloud dashboard. Work with all your clients versions of QuickBooks from anywhere!

22

12


Security• State‐of‐the‐art SSL/TLS encryption mechanism to protect your data

– MyQuickCloud uses a powerful encryption mechanism (SSL: Secure Socket Layer) for all data transmitted from one computer to another. Only your computers have the keys to decipher the data, meaning that anybody getting hold of the data would not be able to decrypt it. Therefore you can access your desktop from anywhere—your home PC, from a public network, or a shared computer—secure in the knowledge that your data is completely safe.

• End‐to‐end encryption of all your data

– MyQuickCloud has 128‐bit Advanced Encryption Standard (AES) encryption built in. All data, including screen images, file transfers, keyboard and mouse input, and chat text is fully encrypted from end‐to‐end. The encryption key is unique for each connection. The access code itself resides on the host computer and is never transmitted or stored on our servers. For this reason, it is impossible, even with the most sophisticated devices, to intercept the data necessary to decode the encryption. Transmissions cannot be hacked or compromised in any way. This technology is used by all payment pages on the internet and is both secure and reliable.

23


Remote Desktop Services:Remote Apps and Remote Desktops

24

13


Remote Desktop Services

• Like the VPN option, remote desktop services (RDS)—formerly terminal services—uses a client to connect the user to the network. However, instead of a direct connection from the remote device to the network resources, the RDS client connects the user to a server or pool of servers inside the network

• Is a role included in almost all versions of Windows Server

• Client access licenses (CALs) are required for end‐user access to this feature

25


RDS in a Nutshell

• When using RDP/RDS, I am one of many users getting my apps from a server OS, which is providing:– Remote apps, which can be server hosted– Remote desktops, which show a server desktop

• Multiple users simultaneously accessing a terminal window from a single instance of a server OS

• More generic application support, less individual customization for printers, shares• Many legacy accounting apps do not support RDP/RDS deployment• Poor audio/video performance• Roughly analogous to taking the bus or other public transportation:

– Multiple users, single OS instance, limited application support– Easier to administer, less expensive licensing

Citrix XenApp / MS RDS

26

14


RDS Example

27


Citrix XenApp

• Citrix XenApp uses the same concept and is basically an extension of RDS

• Requires RDS CALs, as well as user licenses for Citrix itself

• Is extremely robust when it comes to printer/scanner compatibility and support, user access and restrictions, and the ability to generically or specifically fine tune performance

• Either a desktop or application is “published” for users to access both internally or externally

28

15


Speeds and Feeds

Sizing Microsoft RDS Citrix XenApp VDI

Public Practice

Line Speed 256‐512 kbps 128‐256 kbps 64‐128 kbps

Number of Users/Server 30 60 40

Industry Attendees

Line Speed 128‐256 kbps 64‐128 kbps 32‐64 kbps

Number of Users/Server 60 120 40

29


Virtual Desktop InfrastructureUsually just called VDI

30

16


Virtual Desktop Infrastructure(Citrix XenDesktop/VMware View)

• Similar to Citrix XenApp’s published desktop option

– However, VDI makes a desktop‐based operating system available, such as Windows 7 and Windows 8

• Unlike with Citrix XenApp, VDI users do not share the same VM simultaneously

• Users access a desktop that is part of a pool or statically assigned to each individual user

• Requires a large amount of infrastructure to run smoothly

31


What Is Virtualization?

• Creating an instance of an operating system (a “virtual machine” or VM), which runs on generic hardware using a virtual host application, which is called a hypervisor

• Most of your servers should be virtualized now, so you can move to a backup server in an emergency without time‐consuming reconfiguration

• Just as the cargo shipping container is loaded once and can be transported by truck, train, ship, or in some cases, aircraft, virtualization decouples the operating system from the underlying hardware—the same way that shipping containers uncoupled the freight container from the power unit (train/ship/tractor)

• The VMs can run anywhere—with minimal reconfiguration—which makes them wonderful in a disaster recovery scenario

32

17


Traditional Servers—Without Virtualization

TRADITIONAL ENVIRONMENT – REQUIRES 12+ SERVERS

SERVER2

CITRIX1

ACTIVE DIR

SERVER3

CITRIX2

PRACTICE

BRANCH 1

SQL

EXCHANGE

LOANS

QUICKBOOKS

BRANCH 2

SERVER XSERVER1

…

FILE & PRINT CITRIX3

33


The VMware ESX Server Hypervisor on Two Physical Servers Does the Same Work as 8‐12 Physical Servers

VIRTUALIZED ENVIRONMENT

VMHOST1

CITRIX1

ACTIVE DIR

VMHOST2

CITRIX2

CITRIX3

BRANCH 1

SQL

EXCHANGE

LOANS

QUICKBOOKS

BRANCH 2

VM Host VM Host

34

18


Adding a New VMware Host

VMHOST1

CITRIX1

DOMAIN CTRL

VMHOST2

CITRIX2

BRANCH 2

BRANCH 1

CITRIX4

EXISTING ENVIRONMENT

LICENSESERVER

LOANS

EXCHANGE

CITRIX3

35



VMHOST1

CITRIX1

DOMAIN CTRL

VMHOST2

CITRIX2

BRANCH 2

BRANCH 1

CITRIX4

VMHOST3

EXISTING ENVIRONMENT NEW HOST

LICENSESERVER

LOANS

EXCHANGE

CITRIX3

36

19



VMHOST1

CITRIX1

DOMAIN CTRL

VMHOST2

CITRIX2

BRANCH 2

BRANCH 1

CITRIX4

VMHOST3

EXISTING ENVIRONMENT NEW HOST

LICENSESERVER

LOANS

EXCHANGE

37


Zero Downtime with VMotion

• Use VMotion to evacuate hosts– Move running applications to other servers without disruption

– Perform maintenance at any time of day

• Automate with DRS maintenance mode– Automates moving virtual machines to other hosts

– Automates rebalancing after maintenance complete

38

20


1. Activate Maintenance Mode for physical host






39



2. DRS migrates running virtual machines to other hosts






VMotionVMotion

40

21









3. Shut down idle host and perform maintenance

41









3. Shut down idle host and perform maintenance

4. Restart host and DRS automatically rebalances workloads

42

22


VDI withVMware

43


Remote Desktop Services vs. Virtual Desktop Infrastructure


• Shared access to one server, runs server OS, and does not run a desktop OS

• Limited choice on apps

• More efficient than VDI, licensing less expensive

Virtual Desktop Infrastructure

• Each user runs a DESKTOP OS VM– No one else shares your W7/W8 VM,

although they may be nearly identical

• More flexible for app deployment

• Licensing, administration are harder, as a VM for each user is needed

44

23


RDS vs. VDI


• Can publish a single app or a desktop

• Products include

– Citrix XenApp

– MS remote desktop services (RDS)

– MS RDS running on VMware Horizon


• Publishes desktop only

• Products include

– Citrix XenDesktop

– Microsoft virtual desktop infrastructure

– VMware Horizon/View

45


‐vs.‐

• Published desktop runs Server OS—could cause application/printer compatibility issues

• Ability to run app independent of desktop

• Reduces server load, lower total cost of ownership (TCO)

• Centralizes management (both)

• Runs Desktop OS, which enhances software and printer compatibility

• Creates a true desktop experience, customizable for the user in a virtual machine

• Software and printers don’t have to be identical for all users

46

24


Strengths and WeaknessesPerformance, Cost, Compatibility, Usability

47


Strengths and Weaknesses

• Browser‐based remote access

– Least expensive option in most cases

– Direct access to users’ daily use computer

– Can be used from anywhere without installing a client application

– Usually a poor graphical experience for the user

– Keyboard and mouse clicks aren’t always accurate

– Access security isn’t controlled by the firm/company and creates potential back door into data

48

25



• Client‐based VPN

– Very cost effective

– Direct access to resources from anywhere

– Strong security and encryption options

– Easy to use and implement

– Slowest of all the options

49



• Remote desktop services (formerly terminal services)

– Doesn’t require much bandwidth, but more than Citrix

– Easy to install

– Easy to use

– Easy to manage

– Moderate expense compared to the previously listed options

– Easy to scale

50

26



• Citrix XenApp– Most robust of all the options

– Greatest compatibility with all types of devices (iPad, Android, Mac)

– Several additional security options

– Ability to use both local resources and remote resources concurrently and seamlessly

– Requires minimal amounts of bandwidth per user

– Most widely supported option

– Requires a specialized knowledge set to administer, maintain, and tune properly

– Requires additional licensing in addition to RDS

– Runs on a server OS (Windows Server 2008 R2/ WS2012)

51



• VDI: Citrix XenDesktop and VMware View

– Allows users to use a desktop OS (Windows 7/8/8.1/10)

– Excellent software and printer support

– By far most expensive of the options

– Manufacturers recommend using dedicated hosts and storage just for the VDI environment

– A solid state drive (SSD) is required to achieve optimal (and in some cases acceptable) performance

– Requires an advanced level of hypervisor and storage management to properly implement, maintain, and scale

52

27


How Do I Choose?

• There are several factors that will determine which method, or in some cases methods, work best for you

• Budget

– User requirements

– Performance needs

– Application/printer/scanner compatibility

– Bandwidth

– Knowledge of current IT staff

53


Comparison of Remote Access Options

Product:Browser‐Based

Solutions

Virtual PrivateNetwork

Win Server 12 Remote

Desktop Svcs

Citrix XenApp RDS on Win

Svr


Cost: Very Low Low Low/Moderate Moderate Very High

Performance: LowLow/

ModerateHigh Best Moderate/High

App/Print Compatibility:

Very High Very High Moderate High Best

BandwidthRequired:

Moderate Very High Low/Moderate Low Moderate/High

Speed: Moderate Slow Fast Fast Fast

Security: Low Very High Moderate High Very High

IT Knowledge: Low Moderate ModerateModerate/

HighVery High

ProductsWebEx/

GoToMyPCSonicWALL/

CiscoWin Server 08/12 RDS

Citrix XenAppXenDesktop orVMW Horizon

54

28


What’s Most Important

• As you can see, each option has its own distinct advantage and disadvantage

– Browser‐based options are less expensive and easiest to maintain

o They also yield the worst overall performance and user experience

– VDI has top tier user experience and compatibility

oVDI is also by far the most expensive and difficult to administer and maintain

– Citrix and RDS have the greatest overall balance

oCitrix has the edge overall because of its granular tuning capabilities

55


Technical ConsiderationsHardware, Software, Licensing, and Deployment

56

29


Technical Considerations

• There are three main technical aspects to consider when architecting your remote environment– CPU

oNumber of cores

o Type of processor

o Speed of processor

– RAMoUsually the number of users will dictate this metric

– Storageo Fast storage will be required to get a smooth user experience

57


Storage Considerations

• The speed of storage is by far the most overlooked aspect in most industries

• Many of the applications today are becoming extraordinarily disk intensive

• Most of the performance issues occurring today are directly related to the speed of the disks and lack of IOPs

• SSD drives are becoming a near necessity

58

30


IOPs—Examples of IOPs Speeds

• Input/output operations per second (IOPs)

– Defines how quickly the storage can process the data

• SAS spindle disk max IOPs is 180/disk, then you have to apply penalties for different types of RAID

• SSD yields about 20,000‐plus IOPs/disk—penalty

• This is the most critical component of VDI performance!

59


Concerns

• Lack of expertise of installers, internal or external

• Cutting corners on critical hardware items (SAN, Firewall, switches)

• Knowledge of how to make applications work

60

31


Dozens of Right Ways to Implement Technology, Hundreds of Wrong Ways

Component Good Better Best

Firewall True Firewall Security Services Managed

Gigabit Switch Layer 2‐Trunking Stacked Backplane Layer 3 Chassis

Cabling CAT 6A CAT 6AF CAT 7A

Server Tower Rack Xeon Rack Xeon

SAN iSCSI SATA Fiber Channel

Storage 15K Drives SSD Z‐Wave SSD

Workstation Core i5 8GB Core i7 8GB Core i7 16GB

Monitor Two 22” Three 24” One‐Two 27‐32”

Virtualization VMware ESXi VMware Essentials+ VMware Enterprise

Remote Microsoft RDS Citrix XenAppCitrix XenDesktop or VMWare View

61


Sizing Technology—Minimally Acceptable, Stronger Is Better

Component 1‐15 10‐50 30‐200+

FirewallSonicwall TZ300w

Sonicwall TZ400w

Sonicwall NSA 2600

Switch HP 1820 HP 2920 HP 5400

Cabling CAT 6 CAT 6A CAT 6A

Server HP ML350 HP DL360 HP DL380

62

32


Technology Cookbook

• Servers/workstations– Windows Server 2012 R2– Windows 8/10, Office 2013/6

• Infrastructure– VMware ESX HA and san—virtualize

servers– Citrix XenApp, XenDesktop, or VMware

Horizon View VDI– Backup appliances– SonicWALL NSA3600/TZ400w– Gigabit over CAT 6af– Shortel, Mitel, Avaya, Cisco, Trixbox,

Fonality, for VOIP phones– Sufficient UPS

• Security– Firewall gateway protection– Webroot, other antivirus– Disk Encryption—BitLocker PGP or data

encryption– Email encryption—Reflexion, ZixCorp, or

Protected Trust– Adobe Acrobat DC (document cloud)– Retention and other policies

• Mobile device management– Security– Apps

• Web– Portal, SEO, localization

63


Security ConsiderationsAnti‐Virus, Firewalls, Security Policies

64

33


Security Risks

• Depending on the method, there can be many different forms of security risks

– For this presentation, we address the most common

• By far the largest risk to a company utilizing remote access is to allow users to save passwords

– Saving passwords allows anyone with access to the device (short‐ or long‐term) to gain immediate access to all network resources the respective user has

– Not having a policy to prevent saved passwords places any data compromise responsibility solely on the organization

65


Security Risks

• Mobile devices, though they are quickly becoming a near necessity in our industry, are one of the greatest risks to a company if not properly managed

– According to “Accounting Firm Operations and Technology Survey, 2015” 88% of those surveyed state they did not use any type of mobile device management software (MDM)

– This means if the device is lost or stolen (or even just left laying around) anyone with access to the device may have near unrestricted access to company and client data

66

34


Security Risks

• Not implementing security altogether is surprisingly still a major issue across the board

– One of the largest reasons of security not being utilized is complexity pushback from the end‐users

– Another surprisingly large reason for not using security is IT either does not know how to properly implement secure remote access or does not know there is no security enabled by default

– Countless times, either security is minimalized or turned off altogether because IT didn’t know how to overcome application compatibility issues

67


So How Do I Mitigate These Risks?

• Naturally with all problems, the first thing to do is to identify them

– This can be done either internally or contracted out

• The next step is to determine which risks are acceptable/necessary

– IT is a world in which usability and security need a balance (think UAC in Windows), because of this it is near impossible to have 100% security

• Finally, a plan should be put together to determine how these risks will be eliminated, either by company policy, hardware, or software

68

35


Mitigating Risks—Identifying the Risk

• As previously mentioned, finding risks can be completed either internally or by an external contractor

• There are several risks to look out for during this process– Organizational policies

o Process for physically removing devices (encryption, check‐out, etc.)

o Mandated password policy

– Antiviruso Is it installed everywhere

o Level of active protection

o There are a multitude of circumstances in which a virus can get from the remote device to the internal network

69


Mitigating Risks—Identifying the Risk

• Password policies

– Are you allowing users to save their credentials

– Are you implementing strong passwords

– Do not allow users to share their passwords with anyone

• Encryption

– Always use secure connections when accessing remotely

– Encrypt all company devices that will leave the office

• Mobile devices

– Ensure that you have some level of control and security with mobile devices

70

36


Mitigating Risks—Determining Acceptable Risk

• Should be handled carefully and thoroughly

• Executive management should always be involved

• User input should be considered

– User input should not directly dictate the end result

• An example of an acceptable risk may be to disable user access control (UAC) because an application does not work and/or is not supported when active

71


Mitigating Risks—Implementing the New Plan

• Identifying the risk and putting a plan together does the financial institution no good if it is not implemented

• In most circumstances, it is not recommended to make several major changes all at once, as doing so makes it difficult to find the root cause when a problem emerges from the change

• Always keep management involved if the plan needs to be altered or diverted

• Test all changes extensively and ensure all issues are addressed in a manner that finds the greatest balance between security and usability

72

37


Security GuidanceKey Items To Consider

73


Security

• In data centers—NSA, U.S.A. Freedom Act (replaced some Patriot Act provisions)

• Malware—ZeusVM—Deutsche Bank, Wells Fargo, Barclays using steganography (disguises crucial configuration code in a digital photo)

• Encryption—less effective• Protection—sophisticated bad guys bypassing

– In firewalls—ASUS router exploit, files exposed– In antivirus

• Password managers

74

38


Antivirus Software

• WebRoot

• VIPRE

• BitDefender

• AVG CloudCare

• Endpoint protection not as effective

– Symantec endpoint protection

– McAfee endpoint protection

75


Password Managers

• LastPass 3.0 (free)/LastPass Premium($12/yr)

• RoboForm Everywhere 7/Desktop 7

• Password Depot

• Citrix Password Manager

• Windows Password Manager

• Dashlane

• Keeper 5.0

• MyLOK Personal

• Norton Identity Safe (free)

• PasswordBox

• KeePass (free)

76

39


Needed No Matter What Solution

• Com line(s), firewall/switch, cabling/wireless

InternetInternet Redundant Com LinesCable/DSL/MPLS/T1

77


Firewall

• SonicWALL

– Larger networks NSA 3600 $3995

– Small networks TZ300w $1000

– Homes TZSOHO $495

– Use high availability, automatic failover

• WatchGuard

• Cisco

• Fortinet

• CheckPoint

78

40


Communication Lines (Best to Worst)

• Metro Ethernet

• MPLS (multiprotocol label switching)

• Verizon FIOS and AT&T U‐Verse GigaPower (fiber)

• Cable modem (Charter, Comcast, Cox, Time Warner)

• Digital Subscriber Line (DSL) and AT&T U‐Verse (DSL)

• Dialup over plain old telephone system (POTS)

79


Mobile Device ManagementConsiderations for Proper Protection

80

41


Why Do Organizations Need to Manage Mobile Devices?

• So many information workers carry mobile units and use them to store or access private information

• Business professionals simply need to understand the fact that a company ’s network is no longer contained within a physical location

• It has been extended, to include anyplace that company workers go while using portable devices

• Since the network is not in a place that can be physically secured, mobile device management tools and polices are needed to extend security to less controlled venues

81


What Are We Trying to Control?

There are many aspects of security for portable technology. For simplicity sake, we will group them into five categories:

1. Application installation

2. Data access

3. Device security

4. Connectivity to corporate resources

5. Device tracking

82

42


Application Installation

• If a company provides a technology asset to an employee, such as a laptop computer, they must control the introduction of nonbusiness applications

• IT staffers that inspect devices often find a wide array of games or other applications that have been installed

• Added software can use unit resources, track information, and may lower overall device security

• Technology controls, such as limits on those with rights to install applications, can serve as the means to keep unauthorized software off of company owned devices

83


Data Access

• There are two basic types of data we are concerned about:1. Data which is stored on a mobile device

2. Content retrieved with a mobile device

• Some of the best controls limit the amount and the nature of information that is actually resident on mobile units

• Additionally, policies that add security to carried content, such as the requirement of encryption or automatic data removal routines for devices, which are lost or stolen, should be deployed

• If information is not stored but is connected to and viewed, risk is reduced; however, policies that required periodic password changes as well as requirements to report lost units in a timely manner are needed

84

43


Device Security

• Security measures resident on mobile technology are paramount

• Policies that should be viewed, not just as beneficial, but as a requirements include:

– The requirement of a password to unlock a smartphone

– Data removal routines

– Use of antivirus products for portable computing units (even smartphones)

85


Connectivity to Corporate Resources

• Many people, in order to make connecting to corporate resources with mobile devices a bit less cumbersome, have the unit “remember” the username and password used to authenticate the user to the resource

• Moreover, they again, for ease of use reasons, do not have password locks on their tablets, laptops, or smartphones

• Rules restricting stored passwords for connectivity to corporate resources and controls, requiring device passwords, are an important security measure organization should consider

86

44


Kill Switch Legislation for Smartphones

• The federal Smartphone Theft Prevention Act would require that all mobile phones sold in the U.S. include a “kill switch,” which would remotely erase data as well as render the phone inoperable if stolen

• A similar bill is now law in California

• We expect this law to be a de facto national requirement, as carriers will likely make this feature available to all users

• The closest thing to a kill switch already in the market is Apple’s Activation Lock feature available with iOS

87


Device Tracking

• Most organizations and individuals would agree that the ability to track a lost or stolen device would be beneficial

• Policies requiring mobile device management tools, or other device tracking tools, should be a component of any set of internal controls designed for mobile computing devices

• Proxim has a tracking device for locating your mobile devices and even your keys

88

45


What Types of Devices Should Be Included?

• A large number of organizations have good or even excellent policies that govern the use of laptop computers, but these policies fail to address the ever‐increasing importance of smartphones and tablets

• Organizations should identify all mobile units that represent an area of risk and develop policies to keep them as safe as possible

• Mobile device management initiative should include both legacy phones and smartphones, tablets, phablets, ultrabooks, and laptops

89


Mobile Devices to Control

90

46


How Organizations Create an Effective Mobile Device Policy

• Organizations that wish to create effective policies must first identify all of the devices in use by company workers

• As management defines included devices, they must be aware of not only company‐owned assets, but also portable technology that is owned by employees and used in conjunction with their work efforts

• These units, categorized as bring your own device (BYOD) tools, often connect to or store company or client‐owned data and represent a risk when they are lost, stolen, or otherwise compromised

91


How Organizations Create an Effective Mobile Device Policy

• Any policy that relates to technology must be reviewed regularly and updated to address changes in the tools used and the manner in which employees operate

• Organizations that created very strong, well thought out email polices three or four years ago may not have addressed mobile email on personal devices, because no one in the organization had mobile email on personal devices at that time—now they do

• A regular review of existing controls will highlight the need for updated rules and regulations

92

47


Create and Implement Appropriate Controls

• After the organization has an understanding of the devices in use and of the data stored on them, an effective set of internal controls can be created

• Mobile controls can be broken into two categories1. Policies

2. Control‐oriented technology tools

• Each category is a necessary component of the mobile internal control structure, and an organization with a weakness in either area is inhibiting security

93


Mobile Device Policies

• Policies are the rules that govern the use of mobile devices and the data stored on or accessed by them

• Rules such as, “Do not leave a device unattended in a public place,” “Do not view sensitive information in a location where others might see it,” or “Secure a laptop computer before traveling so it will not be damaged” are all steps that must be carried out by the end‐user

• There is no laptop application that sends an electric shock through the keyboard if the user is viewing payroll information on a crowded airplane

• Workers follow policies because they make sense or because they risk discipline if they do not comply

• Sample policies available94

48


Policy Enforcement Tools

• There are technology tools that add security in an automated fashion

• They are installed onto a mobile device, and once configured, make it more secure

• One application segment, MDM software, is quickly becoming an important security add‐on for mobile devices of all types– These products can push automated policies, like a requirement to lock a device, which is not in use to all controlled units

• There are also policy configurators that can help enforce device usage rules

95


Security Functionality Built into Mobile Technology

• One of the first and best lines of defense is the security capabilities built into the devices

• There are three major operating systems in use on portable technology units: 1) Apple’s iOS; 2) Google’s Android; and 3) Microsoft’s Windows – Each has security features that organizations should consider integrating into their policies

• Unfortunately, many users disable security functionality because it adds steps

96

49


Security Configuration Tools

• Many organizations, both large and small, have policies in place that require the use of the security capabilities resident on mobile technology

• A number of software applications exist that can help organizations that wish to “force” policy use for mobile units

• Microsoft Exchange mobile device mailbox policies

• Apple Configurator tool now only on MacOS X

– iPhone Configuration Utility for Windows no longer available

97


Microsoft Exchange Mobile Device Mailbox Polices

• Alphanumeric password required• Device password enabled• Device password expiration• IRM enabled• Maximum device password failed attempts• Maximum inactivity device time lock• Minimum device password complex characters• Minimum device password length• Require device encryption• Remote wipe

98

50


Android for Work

• Announced in February 2015

• Built into Android 5 (Lollipop) and available through a downloadable app on Android 4+ devices

• Segregates business data in a work profile, which is encrypted and separate from personal apps and data

• Business data can be remotely wiped

• Apps are approved, configured, and deployed by IT and distributed by Google Play for Work

99


Android for Work

• Significant external partnerships include the following:

100

51


Mobile Device Management Software

• As an increasing number of mobile devices are placed into service for business organizations, the need to control these units also escalates

• The amount of risk related to mobile units is growing

• Because of this mounting risk, an application software segment, known as mobile device management, has emerged to give organizations and individuals the means to mitigate the threat

101


What Mobile Device Management Applications Offer

• MDM applications generally provide for wide‐area network distribution of forced configuration settings for mobile devices

• Strong MDM suites include tools to support mobile phones, smartphones, phablets, tablets, and laptops

• Additionally, other mobile devices that contain data storage capabilities, such as mobile printers and mobile point‐of‐sale tools, may also be covered by an MDM deployment

102

52


What Mobile Device Management Applications Offer

• One benefit of an MDM package is that it not only controls company‐owned technology units, but can also be used on BYOD devices, which connect to corporate resources

• Once deployed, an MDM product creates three types of controls:

1. Configuration governance

2. Device usage limits

3. After the fact tools

103


Device Security Software

• Some of the products available include

– Air‐Watch

– MobileIron

– Good

– MaaS360 MDM

– XenMobile (by Citrix)

– Symantec MDM

– 3CX

– and many others…

104

53


Summary

• There are many remote access methods and products from which to choose

• The most important factor is doing your research internally and finding what method and product combination works best for your company

• Finding a balance between usability and security is a crucial and commonly overlooked element when designing and implementing your strategy

105


Summary

• Paying close attention to your users needs and issues will greatly contribute to the success of your deployment

• When purchasing hardware, pay close attention to the type and speed of the processor

• Picking the correct storage type and speed is equally as important and crucial for long‐term use

• If possible, avoid making multiple, significant changes all at once, this will ensure a smooth transition with minimal user impact

106

54


Remote Access Best Practices

Randy Johnston, M.C.S.CEO, Network Management Group, Inc.

Exec VP, K2 Enterprises

Thank You for Being Here!

55

Review Questions

56

Review Questions

The review questions accompanying this course are designed to assist you in achieving the course learning objectives. The review section is not graded; do not submit it in place of your qualified assessment. While completing the review questions, it may be helpful to study any unfamiliar terms in the glossary in addition to course content. After completing the review questions, proceed to the review question answers and rationales.

1. Which of the following statements regarding browser-based options is accurate?

a. The agent creates a virtual private network which is used to access a remote device.b. A browser-based option requires the remote computer to be on and accessible.c. The remote computer needs to run a server operating system in order to be remotely

accessed.d. The benefit (beyond remote access) is that the remote user and the local user can do

different things on the PC at the same time.

2. What is one of the biggest security risks with respect to a client-based VPN?

a. There is no encryption between the remote user and the client-based VPN.b. The client-based VPN is compromised by the remote user accessing the network.c. If a remote user accesses a client-based VPN from a home network, anyone on that

network can also gain access to the client-based VPN.d. Access to the client-based VPN requires a wireless connection which puts the remote

user at risk of cyber-eavesdropping.

3. Which of the following statements is accurate regarding RDS?

a. It requires more general application support and requires less customization thanother options.

b. Users will be accessing a single computer.c. Audio and video performance is a higher quality than most other remote options.d. Licensing can be expensive.

4. Which of the following is accurate regarding browser-based remote access?

a. It does not allow direct access to a user’s daily use computer.b. It requires all users to have the same printer configuration.c. It provides a higher graphic user experience than some other options.d. The mouse and keyboard clicks are not always accurate.

Review Questions

57

5. Which of the following statements about technology is accurate?

a. The best option for a firewall is True Firewall. b. A good option for the gigabit switch is CAT 7A. c. The best option for virtualization is VMware Enterprise. d. The best option for remote connection is Microsoft RDS.

6. Mobile controls can be broken down into:

a. Access controls and data retention controls. b. Policies and technology tools. c. Policies and data retention tools. d. Access controls and technology tools.

Review Question Answers and Rationales

58

Review Question Answers and Rationales Review question answer choices are accompanied by unique, logical reasoning (rationales) as to why an answer is correct or incorrect. Evaluative feedback to incorrect responses and reinforcement feedback to correct responses are both provided. Section 1 1. Which of the following statements regarding browser-based options is accurate?

a. The agent creates a virtual private network which is used to access a remote device. Incorrect. This method requires the agent to reside on the remote device in order to access it but it does not create a virtual private network.

b. A browser-based option requires the remote computer to be on and accessible. Correct. The agent is installed on the remote computer, that computer is on and accessible, and the user can remotely access it from a remote location.

c. The remote computer needs to run a server operating system in order to be remotely accessed. Incorrect. The remote computer can run a server OS or a desktop OS.

d. The benefit (beyond remote access) is that the remote user and the local user can do different things on the PC at the same time. Incorrect. The drawback is that the remote user and the local user cannot work at the same time.

2. What is one of the biggest security risks with respect to a client-based VPN?

a. There is no encryption between the remote user and the client-based VPN. Incorrect. Such a connection uses either AES or DES encryption.

b. The client-based VPN is compromised by the remote user accessing the network. Incorrect. The connection is encrypted.

c. If a remote user accesses a client-based VPN from a home network, anyone on that network can also gain access to the client-based VPN. Correct. This is a common weakness of the client-based VPN solution.

d. Access to the client-based VPN requires a wireless connection which puts the remote user at risk of cyber-eavesdropping. Incorrect. Connection does not require a wireless connection.

3. Which of the following statements is accurate regarding RDS?

a. It requires more general application support and requires less customization than other options. Correct. Since all users are accessing one server, the support is more general and requires less customization.

b. Users will be accessing a single computer. Incorrect. Users access a server. c. Audio and video performance is a higher quality than most other remote options.

Incorrect. Audio and video performance tends to be poor compared to other options. d. Licensing can be expensive. Incorrect. Licensing is usually inexpensive per user.

Review Question Answers and Rationales

59

4. Which of the following is accurate regarding browser-based remote access?

a. It does not allow direct access to a user’s daily use computer. Incorrect. This option does allow direct access to the user’s normal computer.

b. It requires all users to have the same printer configuration. Incorrect. The browser-based option provides flexibility for the user with printer configuration.

c. It provides a higher graphic user experience than some other options. Incorrect. This option results in a lower graphic user experience than some other options.

d. The mouse and keyboard clicks are not always accurate. Correct. With a browser-based option, the mouse and keyboard may not be as accurate as with other options.

5. Which of the following statements about technology is accurate?

a. The best option for a firewall is True Firewall. Incorrect. True Firewall is a good option but the best is a managed firewall.

b. A good option for the gigabit switch is CAT 7A. Incorrect. CAT 7A is the best option for a gigabit switch.

c. The best option for virtualization is VMware Enterprise. Correct. The good option is VMware ESXi, the better option is VMware Essentials + and the best option is the VMware Enterprise.

d. The best option for remote connection is Microsoft RDS. Incorrect. Microsoft is the good option but the best option is Citrix XenDesktop or VMWare View.

6. Mobile controls can be broken down into:

a. Access controls and data retention controls. Incorrect. The controls fall into one of two main categories: policies and technology tools.

b. Policies and technology tools. Correct. These are the two main components of mobile controls.

c. Policies and data retention tools. Incorrect. Data retention falls with the policies category.

d. Access controls and technology tools. Incorrect. Access controls could fall under both of the main categories of policies and technology tools.

Glossary

60

Glossary This is a glossary of key terms with definitions. Please review any terms with which you are not familiar. Advanced Encryption Standard (AES): An encryption algorithm that secures a connection between a remote user and the network. Browser-based options: A method of working remotely that depends on an agent to be installed on the respective device and is accessed through a web browser to remotely access the device. Central Processing Unit (CPU): Sometimes referred to simply as the central processor, but more commonly called processor, the CPU is the brains of the computer where most calculations take place. Client Access License (CAL): A license required for remote desktop services. Client-based VPN: A direction connection to the internal network from an external device via a VPN client. Data Encryption Standard (DES): An encryption algorithm which secures a connection between a remote user and the network. Hypervisor: A virtual host application used in virtualization. Input/output operations per second (IOPs): A common performance measurement used to benchmark computer storage devices like hard disk drives (HDD), solid state drives (SSD), and storage area networks (SAN). Internet protocol security (IPsec): A set of protocols that provides security for Internet Protocol. It can use cryptography to provide security. IPsec can be used for the setting up of virtual private networks (VPNs) in a secure manner. Also known as IP Security. Mobile Device Management (MDM): A technology tool which can be installed on mobile devices to manage device security. This software creates three types of controls: configuration governance, device usage limits, and after the fact tools. Multiprotocol Label Switching (MPLS): A type of data-carrying technique for high-performance telecommunications networks that directs data from one network node to the next based on short path labels rather than long network addresses, avoiding complex lookups in a routing table. MyQuickCloud: An application which allows multiple users to work on the same application on the same machine at the same time. POTS: An acronym for Plain Old Telephone System.

Glossary

61

Point-to-Point Tunneling Protocol (PPTP): A method for implementing virtual private networks. Remote Desktop Services (RDS): A method of remote computing in which the user connects to a server in order to work. It can include access to applications, data, and printers. Remote Direct Memory Access (RDMA): A technology that allows computers in a network to exchange data in main memory without involving the processor, cache, or operating system of either computer. Secure Sockets Layer (SSL): A method for implementing virtual private networks. Solid-state drive (SSD): A storage device containing nonvolatile flash memory, used in place of a hard disk because of its much greater speed. Steganography: A technology which disguises crucial configuration code in a digital photo. User Access Control (UAC): A feature that was designed to prevent unauthorized changes to a computer. When functions that could potentially affect the computer's operation are made, UAC will prompt for permission or an administrator's password before continuing with the task. Virtual Desktop Infrastructure (VDI): A method of multiple-user remote access where each user runs a desktop OS virtual machine. Virtual Machine (VM): A software computer that, like a physical computer, runs an operating system and applications. The virtual machine is comprised of a set of specification and configuration files and is backed by the physical resources of a host. Virtual Private Network (VPN): A method of remotely accessing a work station which creates and encryption tunnel between the user and the secure servers which blocks communication with anyone other than the VPN host server and the user. Virtualization: Creating an instance of an operating system (a virtual machine) which runs on generic hardware using a virtual host application that decouples the operating system from the underlying hardware. They can run anywhere with minimal reconfiguration. VMotion: A tool used to evacuate hosts which can move running applications to other servers without disruption and performance maintenance at any time during the day.

Index

62

Index A About K2 Enterprises ............................................................................................................ 0:02:01 Adding a New VMware Host 1 ............................................................................................ 0:45:12 Adding a New VMware Host 2 ............................................................................................ 0:45:17 Adding a New VMware Host 3 ............................................................................................ 0:45:24 Android for Work ................................................................................................................. 1:41:56 Android for Work ................................................................................................................. 1:42:06 Antivirus Software ................................................................................................................ 1:28:25 Anti-Virus, Firewalls, Security Policies Security Considerations ........................................ 1:20:21 Application Installation ......................................................................................................... 1:33:50 B Browser-Based Options 1 ..................................................................................................... 0:06:05 Browser-Based Options 2 ..................................................................................................... 0:06:52 Browser-Based Options 3 ..................................................................................................... 0:09:23 C Citrix XenApp ....................................................................................................................... 0:31:55 Client-Based VPN 1 .............................................................................................................. 0:13:55 Client-Based VPN 2 .............................................................................................................. 0:18:14 Communication Lines (Best to Worst) ................................................................................. 1:31:02 Comparison of Remote Access Options ............................................................................... 1:07:24 Concerns ............................................................................................................................... 1:18:49 Connectivity to Corporate Resources ................................................................................... 1:35:44 Considerations for Proper Protection: Mobile Device Management .................................... 1:32:37 Create and Implement Appropriate Controls ........................................................................ 1:38:49 D Data Access ........................................................................................................................... 1:34:16 Device Security ..................................................................................................................... 1:35:07 Device Security Software ..................................................................................................... 1:43:47 Device Tracking .................................................................................................................... 1:37:08 Dozens of Right Ways to Implement Technology, Hundreds of Wrong Ways .................... 1:19:14 F Firewall ................................................................................................................................. 1:30:18 Five Variants of Remote Access ........................................................................................... 0:04:08 H Hardware, Software, Licensing, and Deployment – Technical Considerations ................... 1:09:13 How Do I Choose? ................................................................................................................ 1:06:04 How Organizations Create an Effective Mobile Device Policy 1 ........................................ 1:38:04 How Organizations Create an Effective Mobile Device Policy 2 ........................................ 1:38:27

Index

63

I IOPs—Examples of IOPs Speeds ......................................................................................... 1:14:12 K K2 Enterprises Websites ....................................................................................................... 0:02:18 Key Items To Consider – Security Guidance ....................................................................... 1:26:39 Key Methods of Remote Access ........................................................................................... 0:05:14 Kill Switch Legislation for Smartphones .............................................................................. 1:36:42 L Learning Objectives .............................................................................................................. 0:03:38 M Microsoft Exchange Mobile Device Mailbox Polices .......................................................... 1:41:28 Mitigating Risks—Determining Acceptable Risk ................................................................ 1:25:40 Mitigating Risks—Identifying the Risk 1 ............................................................................. 1:24:13 Mitigating Risks—Identifying the Risk 2 ............................................................................. 1:24:49 Mitigating Risks—Implementing the New Plan ................................................................... 1:26:04 Mobile Device Management Software ................................................................................. 1:42:16 Mobile Device Policies ......................................................................................................... 1:39:25 Mobile Devices to Control .................................................................................................... 1:37:53 My QuickCloud .................................................................................................................... 0:23:10 My QuickCloud Menus 1...................................................................................................... 0:23:33 My QuickCloud Menus 2...................................................................................................... 0:23:54 My QuickCloud Menus 3...................................................................................................... 0:24:07 N Needed No Matter What Solution......................................................................................... 1:29:42 P Password Managers .............................................................................................................. 1:28:53 Performance, Cost, Compatibility, Usability Strengths and Weaknesses ............................ 1:01:49 Pictures .................................................................................................................................. 0:00:53 Policy Enforcement Tools..................................................................................................... 1:40:31 R RDS Example........................................................................................................................ 0:31:19 RDS in a Nutshell ................................................................................................................. 0:27:43 RDS vs. VDI ......................................................................................................................... 0:59:50 Remote Access Best Practices .............................................................................................. 0:00:00 Remote Desktop Services ..................................................................................................... 0:26:06 Remote Desktop Services vs. Virtual Desktop Infrastructure .............................................. 0:58:11 Remote Desktop Services: Remote Apps and Remote Desktops ......................................... 0:24:50 S Security1 ............................................................................................................................... 0:24:27

http://en.wikipedia.org/wiki/IOPS

Index

64

Security 2 .............................................................................................................................. 1:26:40 Security Configuration Tools ................................................................................................ 1:41:07 Security Functionality Built into Mobile Technology .......................................................... 1:40:48 Security Risks 1 .................................................................................................................... 1:21:07 Security Risks 2 .................................................................................................................... 1:21:49 Security Risks 3 .................................................................................................................... 1:20:33 Self Hosting by MyQuickCloud ........................................................................................... 0:22:25 Session Description ............................................................................................................... 0:02:35 Sizing Technology—Minimally Acceptable, Stronger Is Better ......................................... 1:19:42 So How Do I Mitigate These Risks?..................................................................................... 1:23:10 Speeds and Feeds .................................................................................................................. 0:35:24 Storage Considerations ......................................................................................................... 1:13:29 Strengths and Weaknesses 1 ................................................................................................. 1:01:59 Strengths and Weaknesses 2 ................................................................................................. 1:02:45 Strengths and Weaknesses 3 ................................................................................................. 1:03:04 Strengths and Weaknesses 4 ................................................................................................. 1:03:41 Strengths and Weaknesses 5 ................................................................................................. 1:05:10 Summary 1 ............................................................................................................................ 1:44:58 Summary 2 ............................................................................................................................ 1:47:39 T Technical Considerations ...................................................................................................... 1:09:43 Technology Cookbook .......................................................................................................... 1:19:58 Thank you for being here!..................................................................................................... 1:48:55 The VMware ESX Server Hypervisor on Two Physical Servers Does the Same Work as 8-12 Physical Servers .................................................................................................................... 0:44:54 Traditional Servers—Without Virtualization ....................................................................... 0:44:33 V VDI with VMware ................................................................................................................ 0:46:46 Virtual Desktop Infrastructure 1 ........................................................................................... 0:41:11 Virtual Desktop Infrastructure 2 ........................................................................................... 0:41:36 Virtual Private Networks ...................................................................................................... 0:12:20 W What About NMGI? ............................................................................................................. 0:01:25 What About Randy? .............................................................................................................. 0:00:21 What Are We Trying to Control? ......................................................................................... 1:33:36 What is MyQuickCloud? ...................................................................................................... 0:21:43 What Mobile Device Management Applications Offer 1 ..................................................... 1:43:04 What Mobile Device Management Applications Offer 2 ..................................................... 1:43:21 What Types of Devices Should Be Included? ...................................................................... 1:37:34 What’s Most Important ......................................................................................................... 1:08:30 Which Is Virtualization? ....................................................................................................... 0:43:18 Why Do Organizations Need to Manage Mobile Devices? .................................................. 1:32:48

Index

65

X XenApp vs Citrix XenDesktop ............................................................................................. 1:00:43 Z Zero Downtime with VMotion 1 .......................................................................................... 0:45:35 Zero Downtime with VMotion 2 .......................................................................................... 0:46:03 Zero Downtime with VMotion 3 .......................................................................................... 0:46:08 Zero Downtime with VMotion 4 .......................................................................................... 0:46:15 Zero Downtime with VMotion 5 .......................................................................................... 0:46:24

Qualified Assessment

66

Qualified Assessment Remote Access Best Practices

Course # 2164592, Version 2004Publication/Revision Date:

April 2020

Course Expiration Date Per AICPA and NASBA Standards (S9-06), QAS Self-Study courses must include an expiration date that is no longer than one year from the date of purchase or enrollment.

Complete this assessment online at www.westerncpe.com and receive your certificate and results instantly!

1. With respect to security in a browser-based environment:

a. Security is managed by the web provider.b. As long as one password on one machine is strong, you will have strong security.c. Both computers can be vulnerable to attack based on the “weakest link” between the

two devices so it is important to have anti-virus on both machines.d. One the agent is installed on both computers, you will not need passwords.

2. One of the disadvantages of a virtual private network (VPN) is that:

a. It is more expensive than a browser-based method.b. It is more susceptible to being hacked than a browser-based method.c. The speed of communication is based solely on the speed of the connection.d. Communication is slowed due to the encryption and decryption between the host and

the remote user.

3. Which of the following common types of VPNs is built into windows?

a. IPSEC.b. SSL.c. DES.d. PPTP.

4. Which of the following allows the most users?

a. Citrix XenApp.b. Microsoft RDS.c. VDI.d. MyQuickCloud.


Qualified Assessment

67

5. Which of the following statements is accurate regarding VDI?

a. VDI does not require a large infrastructure to run smoothly so is great for smallbusinesses.

b. Users access a desktop that is part of a pool or is strategically assigned to them.c. Users must share the same VM.d. VDI uses a server operating system.

6. Which of the following has the best rank for app and print compatibility?

a. Browser-based solutions.b. Virtual desktop infrastructure.c. Virtual private network.d. Win Server 12 remote desktop.

7. What is the recommended number of processors per virtual machine?

a. 1.b. 4.c. 6.d. 10.

8. What is the most critical component of VDI performance?

a. RAM.b. Processor speed.c. Number of cores.d. IOPs.

9. Which of the following is cited as the best communication line?

a. Cable Modem.b. MPLS.c. Metro Ethernet.d. DSL.

10. Which of the following is a good risk-reduction policy for mobile devices but is not arequirement?

a. A policy to have a password to unlock the device.b. A policy to only view data on the device but not store it.c. A policy to use a data removal routine on the device.d. A policy to use antivirus products on devices.

Answer Sheet

68

Answer Sheet Remote Access Best Practices

Course # 2164592, Version 2004 2 CPE Credits

Date:

Name: Phone:

Address:

City: State: Zip:

Fax: E-mail*:*E-mail address MUST be unique (not shared with another CPA) for Western CPE to grade your assessment

Name of purchaser (if other than person taking assessment):

If course was purchased as part of the MEGA TAX LIBRARY please include $4/credit for grading:

VISA/MC/Discover/Amex # Exp.

Course expires 1 Year from date of

purchase or enrollment

Online Grading: visit www.westerncpe.com to complete your assessment online and receive your certificate of completion and results

instantly.

1. ___ 3. ___ 5. ___ 7. ___ 9. ___

2. ___ 4. ___ 6. ___ 8. ___ 10. ___


Course Evaluation

69

Course Evaluation Remote Access Best Practices

Course # 2164592, Version 2004

Thank you for taking the time to fill out this course and customer experience evaluation. Your responses help us to build better courses and maintain the highest levels of service. If you have comments not covered by this evaluation, or need immediate assistance, please contact us at 800.822.4194 or [email protected].

Course and Instructor Evaluation

1. Please answer the following related to the content of the course:

Strongly Disagree Disagree Neutral Agree Strongly

Agree

The stated learning objectives were met. O O O O O

The course materials were accurate, relevant, and contributed to the achievement of the learning objectives. O O O O O

The stated prerequisites were appropriate and sufficient. O O O O O

Based on 50 minutes per credit hour, the time to take this course accurately reflects the credit hours assigned to it. O O O O O

The instructor was knowledgeable and effective. O O O O O

2. Were there any questions you felt were confusing or had incorrect answers listed? If so, please give thequestion number and a brief description of the issue:

3. Please provide any additional comments specific to the educational content or author of this course:

mailto:[email protected]

Course Evaluation

70

4. Do you have ideas for future course topics? If so, please list them along with any known subject matter expertswe might contact to develop the course:

Customer Experience

5. Please rate your overall experience with Western CPE:

Unsatisfactory Improvement Needed

Meets Expectations

Exceeds Expectations Exceptional

If you interacted with our Customer Service team, please rate the quality of service you received.

O O O O O

If you purchased your course online, please rate the quality of your e-commerce experience.

O O O O O

“My Account” information includes the tools necessary to access courses and track those completed.

O O O O O

6. Please indicate the likelihood of your purchasing the listed course formats from Western CPE:

Not at all Not very likely Possibly Likely Highly

Likely

Self-Study O O O O O

Webcast OnDemand O O O O O

Live Webcast O O O O O

Resort Conference or Seminar O O O O O

Course Evaluation

71

7. Please use the box below to provide any additional comments related to your educational experience withWestern CPE.

8. If you are willing to provide a quote about this course, or Western CPE in general, that we may use in ourpromotional materials, please state it below. Be sure to include your name, title, city, and state.

remote access best practices - western cpe

Documents