questions about vpn

Posted on 2010-01-04
Medium Priority
Last Modified: 2013-11-21
hi all
i have questions about vpn connection (cissco VPN) to my pc @ work

knowing that am using windows xp at work, and am connection via my laptop which isusing windows 7
1-i found thet i have to enable remote desktop connection on my work PC to enable connecting to it via vpn, and i wanna know what the differince between vpn and remote desktop in local connection

2-when i set the group of users who are allowed to connect remotely to my Pc i found a message that any member of administrator group can connect even if their names are not listed
so i wonder do the network domain administartor have the privillage to connect also??
i dont want any one to connect even network administrator a want my local administrator log in only even my network user i didnt put it in administrator group i put it in remote users group

3-i noticed something serious, when i left my compute before going home i left it locked not logged of, and when i connected via vpn i logged of
next day morning i found my pc logged of.
so do my actions on my pc are physically done also?
that means when i unlock my compute @ work it get physically unlocked and any one can use it?? i dont wanna that to happen
and when i end my session in connecting remotely via vpn do i have to log off or dissconnect or what action should i do to keep my computer @ work typically as i left it..

please help me in that
Question by:moayad25
  • 8
  • 6
LVL 11

Expert Comment

ID: 26177564
Yes network administrators can login but they will have to bump off your account inorder to use your computer... they will not be able to see what you have open... etc...

When you connect via RDP the computer automatically locks itself and the desktop is shared to your remotely, this does not bump the account off but just redirects where it goes....  This means people at work can't just turn on your monitor and watch what you are doing...

If you eft your PC locked and came in the next day with it logged out and you did not log out that means that someone either pulled the power to your computer... or an administrator bumped your account, either locally or via RDP... either way no one saw what you had on your computer.  You do however loose what you didn't save....

Just think of RDP as a second monitor, only one of the two can run at one time, anything you do on RDP can only be done if you computer is locked.... In order to use your computer from RDP your computer has to go into a locked mode....

This only applies for personal systems like WIndows XP, Vista & 7.... Servers such as 2003 & 2008 handle RDP differently....

Author Comment

ID: 26177637
i see that u r using RDP and am telling that am using VPN not RDP and the two concepts differs and i asked about the differance.

and  please explain to me more.
i didnt list the network administrator in the group of users who can access remotely and to make sure i i pressed the add button typed domain\administrator and it has been listed so if it was listed implicitly it would tell me that for example  i had message that anu member of  network administrator group can log in with out being listed

in addition to that, in my administrator group i have only my local pc administrator

i used to log in to my pc even locally or via vpn i put local user name and local pc in the domain textbox
i dont chose the domain
username moayad
log in to pc local

about the issue that i found
am telling that i found my PC locally logged of ok..
and when i connected via vpn it brought to me the status i left my pc with it was locked

what  am asking now if i unlocked my pc via vpn no one can c that i did that locally right?
ok what if i logged of when i ended my session it will be logged of also locally

ti dont think that the administartor bumb me out cuz i would c his user name in document and settings and i have bios password so any one turn off my computer will be stuck..

by the way when i open the event viewer i cant c any loggs in security don't know why..

your help would be so much appreciated
LVL 11

Expert Comment

ID: 26177660
VPN is only a connection to the network, it bridges the network between your computer and a remote site... thats all it does... RDP on the other hand is remote desktop where you connect to another machine directly and control it.... both you can pass files across an encrypted connection, with RDP you can print locally... RDP is best to use when application which require a lot of bandwidth are used while VPN is better for less intensive applications such as IM, E-mail, etc....

VPN just puts your computer on the network there just as if you were to plug it in....

When I said network administrator I meant the domain administrator...

You cannot unlock your pc via VPN since this is just a network connection and it does not have control of the computer...  If you use RDP to unlock your computer users will not see that you are using it locally, it will just appeared locked to them...  If you logoff RDP then the computer will logoff, however if you just disconnect your RDP session it will remain locked and leave your files, applications etc open in the locked state until your computer into the office and unlock it or unlock it via RDP...

Hope this clears up a few more things :-)

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 26177735
ya that cleared up lot of things...

but please clear it more...
how the network administrator can log in if he is not listed!!
i can't log in in my account on domain if it is not listed so how the network administrator can log in?

second thing how to prevent that how to know it while i dont have security log i mean when i open it it's empty tell me way to protect it from being erased if it is erased by administrator.. and idomain admin log  shouldnt i get his name listed in document and settings users!!

by the way i have a full privilage over my network account i can change any settings on my computer.

plz help me in that
LVL 11

Expert Comment

ID: 26177764
Is this computer part of a domain? Most networks are setup so domain administrators have the same rights over all computers as local administrators which would mean they are an administrator... If you notice when you lock your computer it says it can be unlocked by yourself or an administrator... If you unlock it you see the screen, if an admin unlocks it all they see is a logging off screen then they are back to a login menu.... A profile would not be created unless they decide to login at that point...

If the domain admin logs in then yes the account would be created under documents and settings, it is possible to remove this directory after you logoff, you can clear the security log but there would be an event from the person who cleared it.  You could also have the domain GPO setup so security logs are not created but I don't know why a domain admin would do that...


Author Comment

ID: 26177924
so u are saying that the profile created when admin really logs in not only when they unlock thats fine i know it.

but why i can add the domain administrator to any group i want if he is implicitly listed as you say

the problem that our administrator is not that good person and he makes problems to users for his own benifits he uses his administrator privillages in bad manner its long story...

but i need to prevent him from logging to my computer(he doesnt dare to do that physically)
but am afraid of remote activities and i wanna a method to make sure that he is clearing the security log..

an honest admin dsnt clear the security log ...

i wanna know how that happens, and how to know who cleared the log and how to prevent cleaing the log i think if i have the log i can know all activities happens and if admin logged or not right?

it would be appreciated tooo much

Author Comment

ID: 26177938
btw even in the trace logs and alerts its empty tooo
and that is not fine with me...

please make sure of the admin abilities to log in whil am not logging in into the domain

the message u said are working with local administartor not network one

as i told u my computer is part of domain but i log in to local pc..

please ask about it and make sure plz
LVL 11

Expert Comment

ID: 26180416
As long as your computer is on the domain the domain administrator has the ability to change any settings you have by pushing down administrative overrides, group policies, etc... if you are that worried about the domain administrator taking control of your computer I would remove the computer from the domain..

That can cause you problems accessing things but then the domain admin will not have access to your machine.

It doesn't make a difference that you log on locally vs log on via domain account, as long as the computer is connected to the domain it will retrieve Group Policies from the domain....

I wouldn't be that worried about your domain admin going in via RDP, he has many other way to check out what you have on your computer.... Since group policies are pushed down he is able to see all the files on your computer as long as you have not password protected them in a program such as ms office...

Again if you are this worried about your domain admin perhaps you look at removing your computer from the domain....

Author Comment

ID: 26197924
what group policies may be there?
i have my own access over my local policies

and i made all required changes, admin cant view files on domain computer as long as they are not shared..

am sorry your answer is not that accurate
LVL 11

Accepted Solution

ICaldwell earned 1500 total points
ID: 26199468
Every single local policy you have, there can be a group policy... Group policies on the network override your local policy every time... You may provide in your system to say the Domain Administrator cannot login to your machine but the group policy may say the domain admin does have rights... In this case the Group Policy wins every time and he is allowed in even though you said not in your local policy...

I can tell you now that the domain admin can see your files even if they are not shared, default policies on the network allow this, your overrides will not change this unless you remove the computer from the Domain...

Domains are setup to help the Domain Admin, settings are to be managed at the domain level and not the PC level...  Again if you want security from your domain admin you need to disconnect your computer from the domain or policies from the network will override your local ones every time...

Author Comment

ID: 26201504
thanks alot but how i can c the group policy?

and if that is true..
the group policy override when system restarted
but if i changed the local policy every time system retarted i can be safe
am programer and am working on database server how you want me to get out of the domain i cant access my server then..
LVL 11

Expert Comment

ID: 26202893
The easiest way to see the group policy is from the DC controller, on the OU you can easily edit it.... From a client computer you can dig through the registry if you want, I am don't think you can see it as easily as looking at the local policy

Group policy is overriding the local computer at an interval of around 120 min not every time the computer is reset so if you remove group policies they will be back shortly...

Have you though about putting a home router in-between your computer and the company network?  That way you can connect to the network, etc, but you domain admin would not be able to connect to your computer, you can open up the specific ports you want but you would have control over it...

Author Comment

ID: 26208227
can you explain to me how to put a router
you mean i can bring a router and make it between my computer and the network
then how to configure it?
LVL 27

Expert Comment

by:Jason Watkins
ID: 26279419

I would be very sure that placing a router on your company's network is against the usage policy, if they even have one. If that were done where I work, the user would most likely be unemployed at the end of it. So, do so at your own risk. Unsanctioned routers are removed when found and the user's connection disconnected.

Is the computer you use at work, your property? If it is then you have every right to control who can access it, and in that case, I would remove it from the work domain. If the computer belongs to your employer, it is their property and their discretion as to who can use it.  The data that resides on the hard drive of your work computer is also the property of the company. IT personnel are tasked with the job of maintaining the computer equipment. Part of that job entails logging into user computers from time to time, and only when necessary. I support over 200 desktops and love it when I can do my job without having to log into each one of them, but sometimes that is not always possible. Admins do not have the time or desire to snoop on their user's activities, though I cannot speak for all.

Please don't get me wrong and take my advice the wrong way, but the IT folks are there to help you do your job. If you have security or privacy concerns talk to them about it. If you think that an IT admin is abusing his/her position, then get a little bit of evidence and go to HR. As much as my users like to think their office PC is 'theirs' it isn't. Despite the attachment, it is up to the IT department and management to shape the control of access.

I apologize for the narrative.

Author Closing Comment

ID: 31672772

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
Make the most of your online learning experience.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question