As of Monday, March 21, remote desktop access to winterm.eecs will be limited to on-campus hosts and VPN clients. To access winterm.eecs from off-campus after March 21, you will need to either use the campus VPN before connecting to winterm.eecs, or configure your Remote Desktop Connection to use the campus Remote Desktop Gateway service.
Background
It has long been best practice to not expose the Remote Desktop Protocol (RDP) to the open internet. RDP is a frequent target of attackers, who may attempt to exploit vulnerabilities in RDP itself, or attempt brute-force password attacks, or use leaked or phished credentials to gain access to our network. We have previously worked to mitigate this risk by diligently patching, logging, and using intrusion-prevention software RdpGuard.
In light of the recently revised campus Minimum Security Standards for Networked Devices (MSSND), IRIS was already planning to make this change to winterm.eecs access during the 2022 calendar year. When off-campus clients need either the campus VPN or the campus RD Gateway service to connect to winterm.eecs, DUO multi-factor authentication (CalNet 2-step) is used. This greatly reduces our attack surface.
More recently, the CISA Shields Up notice re-emphasized the need to use multi-factor authentication and to protect potentially vulnerable services like RDP. So rather than delaying further, we will take action on March 21, during Spring Recess.
You may start now! You don’t need to wait until March 21 to begin using the campus VPN or the campus Gateway service.
If your Berkeley CalNet account is not currently authorized to use the VPN, you will need to contact your HR representative. Those who are entered into UCPath with typical Student, Employee, or Affiliate designations should have access to install and use the campus VPN.