To protect the campus network against unauthorized access and malicious lateral activities, Information Technology Services (ITS) of the University is introducing the Campus Wide Remote Access Policy (the “Policy”). The objective of this initiative is to strengthen digital security and ensure full compliance with the ordinance.
Background
The need for a comprehensive remote access policy was underscored by a recent ransomware incident in February 2024, which exposed vulnerabilities associated with the Remote Desktop Protocol (RDP). To mitigate these risks, ITS proposes a centralized security framework for remote desktop access that will restrict inbound connections from external networks and incorporate security measures for the detection and response to potential attacks across all faculties.
The implementation of the Policy is intended to deliver the following outcomes:
- Compliance with the PCPD Enforcement Notice
- Reduction of internal and external attack surfaces
- Standardization of RDP/Secure Shell (SSH) and possibly any other remote access services (hereafter referred to as remote access services) in a controlled environment
Remote Access Services of Registered Servers
A server is any network device that listens on a TCP/UDP port and is accessible for providing services for its network neighbours, which is listed but not limited to the following examples:
- Windows/Linux/AIX Servers
- Network Attached Storage (NAS)
- Firewalls
Departments must register their servers connected to the Campus network under the University’s Server Compliance Program and the servers must be properly managed to reduce security risks to the HKU network environment. Only registered servers may offer network services, including remote access services (e.g., RDP, SSH), within the Campus network. Any other Internet-facing services require a separate application, as external connections are otherwise denied as default.
Registered servers may be accessed remotely via the campus network (HKU WiFi, HKUVPN, or Ethernet). Server registration fees are charged per CPU core.
Remote Access Services of desktop PC
Please note that the recommended approach for remote work is to use Virtual PC, unless particular needs require otherwise.
When a desktop PC is used for remote access services, it functions as a server because it accepts remote network access from other devices on the network. In such cases, the desktop PC must be registered by submitting CF59 form according to the University’s Server Compliance Program, with appropriate agent installed, if possible.
Upon registering as a server for remote access service, a desktop PC will be assigned a fixed IP address if it does not already have one, allowing connection via HKUVPN.
Please note remote access protocols like RDP and SSH are not permitted to the target of desktop devices with dynamic IP addresses.
Other Network Devices in Campus Network
Please note that the Policy applies exclusively to remote access services. Other devices—such as printers, copiers, Smart TVs, door locks, or IoT—will not be affected unless they are utilizing remote access services. However, if any such device is used for remote access services, or provides network services as a server, and is accessible to its network neighbours, compliance with the Policy, as stated above, is required. Under any circumstances, an asset inventory of such network connected devices should be kept updated to facilitate troubleshooting and incident investigation.
Effective Date
If you are using a PC workstation for remote access services, you can continue to connect via HKUVPN until February 23rd, 2026. After this date, only registered workstations with fixed IPs will be permitted remote access via HKUVPN.
Conclusion
The Campus Wide Remote Access Policy enhances digital security and ensures compliance for all faculties. We expect a smooth rollout and positive impact for HKU members in accordance with the Policy.
Should you have any questions on the above, please feel free to contact ITS Helpdesk (ithelp@hku.hk).