In response to the enforcement notice (the Notice) established by the Privacy Commissioner for Personal Data (PCPD), the Information Technology Services (ITS) of the University announces the implementation of the Campus Wide Remote Access Policy (the Policy). This initiative aims to enhance digital security and ensure compliance with the Notice.
Background
The necessity for a robust remote access policy became evident following a ransomware attack in February 2024, where the Remote Desktop Protocol (RDP) was identified as a critical vulnerability. To address this, we propose a centralized security control for remote desktop access, restricting inbound access from the internet and implementing security measures to detect and respond to potential attacks among faculties.
By implementing the Policy, we aim to achieve the following benefits:
- Compliance with the PCPD Enforcement Notice
- Reduction of the attack surface internally and externally
- Unified RDP/SSH services (RDP services thereafter) in a controlled manner
Implementation Phases
The Policy will be implemented in accordance with the followings phases:
Phase I: July 2025 to September 2025
- Formulate and promote the Campus Wide Remote Access Policy for implementation across all HKU departments.
- Prevent all campus workstations from being remotely accessed the Internet, HKU Wi-Fi, and HKU LAN (other departments) through the use of the RDP protocol.
- Permit RDP access via HKUVPN prior to the final effective date.
- Require HKU members attempting to access RDP from other department LANs or HKU Wi-Fi to log in to HKUVPN before initiating RDP sessions from their workstations.
Phase II: August 2025 to December 2025
- Consolidate desktop application requirements and special network needs for remote access connections.
- Transition departments using general office applications to Virtual PC (VPC).
- ITS will evaluate any special requests related to remote access and will determine if role-based firewall rules or VPC can fit for the department needs.
- If role-based firewall rules or VPC is unsuitable, a Centralized Remote Access Console would be considered. Details will be provided to relevant departments.
Phase III: January 2026
- Refrain from using HKUVPN for RDP on general PCs.
- If the department continues to use RDP on their PCs, the security measures applicable to University’s Server Compliance will be followed.
As part of this transition, the departmental IT support team will receive a questionnaire at the beginning of August 2025. This questionnaire is intended to collect details about current and anticipated remote desktop application requirements, and other special requirements on departmental network equipment, for example Network Attached Storage (NAS). Departments are encouraged to complete and submit this information promptly to facilitate a smooth evaluation process and ensure that unique needs are addressed in the upcoming phases.
Conclusion
The Campus Wide Remote Access Policy represents a significant step towards enhancing our digital security and ensuring a safe and compliant environment for all faculties. We look forward to the successful implementation of this project and the positive impact it will have on all HKU members.
If you may have questions on the above, please feel free to contact Mr. KK Yen (kkyen@hku.hk), Mr. Kelvin Lai (kelvin.lai@hku.hk), or Mr. Harry Hwong (harryhwong@hku.hk).