Since the demise of Becta I have had lots more schools ask me if they can go ahead and remote directly into their school, bypassing our central security exchange.
The answer is still no. These are the reasons why…
1) Becta’s requirement for dual form authentication was a good idea and is a good idea. It’s not that we don’t trust you to not give out your username and/or password it’s that even the most seasoned of IT professional can make security errors and by having 2 forms of authentication it would take 2 catastrophic security errors to allow someone to access your schools data.
2) We are considering RSA or usb keys to remove one prompt for username/password
3) We want to try to encourage you to use more web based services and to remote into your data less. This will allow us to apply more granular security policies and hopefully encourage you to adopt a single sign on mechanism. Hosted web services should also increase the reliability of access to resources.
If you still want to go ahead and remote straight into your school then I would recommend you do a thorough risk assessment and that the decision is approved by the schools leadership team (I would recommend you do this anyway even if you have dual form authentication).
If you are a technical support manager/engineer trying to make your life easier be aware that if you open up school information to the outside world you may be charged under the data protection act.