|
Posted by Leythos on December 6, 2006, 6:19 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I am working with an organization that is setting up remote user access
> to a 2003 Server system. They expect only one to two users
> simultaneously, but need a reasonable level of security. My original
> designs include the use of a VPN in front of the connection. I read a
> few articles that claim the encryption and security of the terminal
> services on 2003 are such that you don't need a VPN.
>
> For arguments sake, I will suspend my prejudicial judgement about
> letting any Microsoft service support Internet services :) Can anyone
> make a case for why setting the client encryption setting to "High" (or
> is there something better) is as good as using a VPN. Assume for
> arguments sake that I would authenticate both RSA tokens. Likewise,
> what are the arguments against hanging a terminal server out on the Net?
> Again, assume I use the available security options to configure it.
We've 16 terminal servers with different clients and NEVER expose them
directly to the internet. We use firewall appliances, setup individual
VPN accounts to the firewall and then limit the users (RD) to TCP 3389
and the IP of the terminal server only. They can't reach anywhere else
in the network through the VPN and only on 3389. With this solution, and
other methods, we've passed all security audits.
Now, we also don't use single/Ad authentication - we provide the
user/password for the firewall and then the user creates the password
for their AD account - meaning we don't use the same user name as their
windows logon account.
We have one new client that has an exposed Windows 2000 terminal server
and they've had RD exposed for 2 years, and as far as anyone can tell
they've not been hacked - but their entire network is setup to fail (we
are rebuilding it).
Personally, I never expose a windows server directly to the net, other
than SMTP and HTTPS.
--
spam999free@rrohio.com
remove 999 in order to email me
| 
XML site map