I agree. they've opened a hole directly into their internal network. could
they make a hackers job any easier? Most times they have to go through a
firewall first but not with this company.

Jeff Pitsch
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"Leythos" <void@nowhere.lan> wrote in message
news:b1Cof.193907$tD4.177811@tornado.ohiordc.rr.co m...
> In article <Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl>,
> Bill_Fields@azb.uscourts.gov says...
>> Hello.
>>
>> I have a customer who is having all kinds of problems w/ their current
>> VPN
>> connection. They're wondering if it would be acceptable to drop using the
>> VPN altogether and just open the necessary port(s) on their firewall to
>> allow Terminal Server connections. They do not need LAN access over the
>> internet, just terminal server connections.
>>
>> My initial reaction was "you always use a VPN, that's the secure way of
>> doing things", but since the TS client uses an encrypted connection,
>> doesn't
>> that generally give enough protection against sniffing?
>>
>> Comments? Obviously, I'm not a security expert...
>
> If you TRUST MICROSOFT to not have ANY holes in Remote Desktop, if you
> trust Microsoft to not have any unknown exploits, if you don't mind
> everyone and their brother being able to attempt a RD connection to your
> server, then it's fine to expose it.
>
> As a matter of security, we install a Firewall that also acts as a VPN
> endpoint and then only create accounts for Users that require VPN
> access, and don't integrate the Firewall with the AD structure - they
> get one user/password for the firewall and it's not the same as their
> domain users/password. Once they VPN into the network, the firewall rule
> for their firewall user, is permitted only TCP3389 to a single IP
> (either the Terminal Server or their desktop in the office). We never
> expose the LAN directly.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me