Thread: TS over the internet - directly attach, or require a VPN?
View Single Post
  #6  
Old 01-05-2006, 07:15 AM
kiln
 
Posts: n/a
Default Re: TS over the internet - directly attach, or require a VPN?
I'm totally new to this and so am liable to get confused about the
issues, but the OP did state that they were *considering* dropping the
VPN part of their setup, which includes a firewall. So they haven't
opened up anything (because they haven't changed their current
firewall/vpn config) and even if they did, they'd still have the
firewall in place.

As I said I'm a newbie to the topic at hand, so I'm even not sure that
what you said doesn't match the OP's question. I've read many posts by
you (Jeff) where the primary message seems to be "don't ever expose your
TS/LAN directly on the internet". I often can't tell exactly what you
mean by that; and this response of yours makes it even more confusing.
What exactly do you consider a safe TS config for use on the internet? I
really want to know. They only direct exposure I have is via TS behind a
cisco firewall that is also a vpn endpoint, with all clinet IP addresses
known. I am hoping that there is a safe way to deploy TS on the internet
that is less rigorous than that, but maybe there isn't.

In article <eCltpxmAGHA.140@TK2MSFTNGP12.phx.gbl>,
jeff@sbcgatekeeper.com says...
> I agree. they've opened a hole directly into their internal network. could
> they make a hackers job any easier? Most times they have to go through a
> firewall first but not with this company.
>
> Jeff Pitsch
> http://www.sbcgatekeeper.com
> Your Terminal Services Security Website
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:b1Cof.193907$tD4.177811@tornado.ohiordc.rr.co m...
> > In article <Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl>,
> > Bill_Fields@azb.uscourts.gov says...
> >> Hello.
> >>
> >> I have a customer who is having all kinds of problems w/ their current
> >> VPN
> >> connection. They're wondering if it would be acceptable to drop using the
> >> VPN altogether and just open the necessary port(s) on their firewall to
> >> allow Terminal Server connections. They do not need LAN access over the
> >> internet, just terminal server connections.
> >>
> >> My initial reaction was "you always use a VPN, that's the secure way of
> >> doing things", but since the TS client uses an encrypted connection,
> >> doesn't
> >> that generally give enough protection against sniffing?
> >>
> >> Comments? Obviously, I'm not a security expert...
> >
> > If you TRUST MICROSOFT to not have ANY holes in Remote Desktop, if you
> > trust Microsoft to not have any unknown exploits, if you don't mind
> > everyone and their brother being able to attempt a RD connection to your
> > server, then it's fine to expose it.
> >
> > As a matter of security, we install a Firewall that also acts as a VPN
> > endpoint and then only create accounts for Users that require VPN
> > access, and don't integrate the Firewall with the AD structure - they
> > get one user/password for the firewall and it's not the same as their
> > domain users/password. Once they VPN into the network, the firewall rule
> > for their firewall user, is permitted only TCP3389 to a single IP
> > (either the Terminal Server or their desktop in the office). We never
> > expose the LAN directly.
> >
> > --
> >
> > spam999free@rrohio.com
> > remove 999 in order to email me
>
>
>
Reply With Quote