Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote access security issues

Status
Not open for further replies.

RoknRole

Programmer
Feb 2, 2005
36
US
This issue may be more theoretical than technical, but it is one that I need to do some research on and I appreciate any feedback from this esteemed community. If I have posted this in an inappropriate forum, I apologize and please direct me to a more appropriate forum.

I have developed Crystal Reports for years ( currently using version 10) but am new to Crystal Enterprise. My organization recently purchased Enterprise 10, and we will upgrade to version XI when the Linux version is available. With Enterprise, we will be able to distribute our reports and information to all our in-house and remote users (teleworkers). This will be a real boon for us. Our users will be able to view and print our reports (after supplying the proper login credentials of course) from anywhere via the web without having to install anything on their computer.

I have learned through a friend that a governmental agency (a county) is about to change their remote user access policies and procedures. Teleworkers there currently use a county-owned “dumb terminal” and a “Citrix connection” to connect to their network, and can print reports to a local printer attached to the “dumb terminal”. The county is changing technologies, scrapping their “dumb terminals”, and is now requiring the teleworkers to connect to the county network via the web and their own personal computers. Authentication will be controlled via a “RSA FOB”. Printing reports will not be allowed to any local printers. All report printing by the remote users must be directed to a network printer. The reason stated for this printing procedure is that if a report is printed to a local printer, and that report contains confidential information, someone after the fact could use the computer to view what was printed. Apparently, “traces of data” of what was printed will always remain on the hard drive. In fact, the county policy states that if the inevitable occurs and a report must be printed from the personal computer to a local printer, the county will physically destroy the harddrive on their personal computer after the teleworker leaves their employment. According to their policy, “this is done to protect any residual county data that may be left on the harddrive from unauthorized discloser (sic)”.

There are several issues here, one of which is requiring teleworkers from a governmental agency to use their own personal computers to conduct business. The issue I would like to research is this: If a user views and then prints a report from Crystal Enterprise, and assuming they do not save or export the report to a file and that the paper copy is properly disposed of or filed away, can somebody in the future look at or examine their computer and view the contents of the printed report? Is their a risk that an unauthorized person could see what was printed? If so, how high of a risk is this to an organization - is this something that an average person could do, or would it require specialized software or hardware, or could it only be accomplished by using data recovery specialists performing harddrive forensics (which I understand could cost several thousand dollars)?

I appreciate any comments. Thank-you.
 
Not sure about Crystal Enterprise specifically, but there are many apps that work this way, Outlook Web Access a prime example of this. Basically, it's server side HTML presented over the web, so there really is nothing to cache on the client end except graphics.

I'm not sure how local print spools work, I suppose it might be possible there's a bit stream to be recovered just like in my previous Novell days you could respool and reprint a print job using Filer. I also imagine this bit stream gets overwritten frequently as new print jobs are spooled. I could see that a specialized undelete utility would be needed.

Sounds to me like the county wants to discourage telecommuting as much as possible. At the very least, they're shifting up front costs onto the users, but I think with their hard drive destruction policy, that's going to bite them in the end. They'll need tech time to do the destruction or at least remove the drive and send it off. I'll assume they'll also be nice and supply a new hard drive to the user. They'll need to reinstall all the user's software/data to the state it was before.

Better to identify sensitve information up front and simply deny access out of the LAN that way.
 
The new policy states "the hard drive must be removed by the employee and delivered to the county MICS department for complete destruction... The drive will NOT be returned to the employee, (and the) county will not be responsible to supply any replacements for the destroyed drive."

I would think a Wipe-Drive utility could satisfy their concerns.
 
Yep - They're trying to kill telecommuting without actually rescinding the policy. That way they can say they offer/allow it but it is essentially so impractible no one will use it. If they do, I would get a separate computer to do so.

A good drive wipe utility should be sufficient unless you're worried about the DoD getting hold of your data.

What do they do if someone loses a county supplied notebook? Execution at dawn?

Oh, here's a thought for them - what about a home network with a shared printer hosted on another machine. That spool file goes somewhere. Didn't think of that one, did they?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top