TS over the internet - directly attach, or require a VPN?

Hello.

I have a customer who is having all kinds of problems w/ their current VPN
connection. They're wondering if it would be acceptable to drop using the
VPN altogether and just open the necessary port(s) on their firewall to
allow Terminal Server connections. They do not need LAN access over the
internet, just terminal server connections.

My initial reaction was "you always use a VPN, that's the secure way of
doing things", but since the TS client uses an encrypted connection, doesn't
that generally give enough protection against sniffing?

Comments? Obviously, I'm not a security expert...

Thanks.

--
William Fields
MCSD - Microsoft Visual FoxPro
US Bankruptcy Court
Phoenix, AZ

".dll hell - .rpm hell - whatever.
The grass is always greener"

In article <Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl>,
Bill_Fields@azb.uscourts.gov says...
> Hello.
>
> I have a customer who is having all kinds of problems w/ their current VPN
> connection. They're wondering if it would be acceptable to drop using the
> VPN altogether and just open the necessary port(s) on their firewall to
> allow Terminal Server connections. They do not need LAN access over the
> internet, just terminal server connections.
>
> My initial reaction was "you always use a VPN, that's the secure way of
> doing things", but since the TS client uses an encrypted connection, doesn't
> that generally give enough protection against sniffing?
>
> Comments? Obviously, I'm not a security expert...

If you TRUST MICROSOFT to not have ANY holes in Remote Desktop, if you
trust Microsoft to not have any unknown exploits, if you don't mind
everyone and their brother being able to attempt a RD connection to your
server, then it's fine to expose it.

As a matter of security, we install a Firewall that also acts as a VPN
endpoint and then only create accounts for Users that require VPN
access, and don't integrate the Firewall with the AD structure - they
get one user/password for the firewall and it's not the same as their
domain users/password. Once they VPN into the network, the firewall rule
for their firewall user, is permitted only TCP3389 to a single IP
(either the Terminal Server or their desktop in the office). We never
expose the LAN directly.

--

spam999free@rrohio.com
remove 999 in order to email me

I agree. they've opened a hole directly into their internal network. could
they make a hackers job any easier? Most times they have to go through a
firewall first but not with this company.

Jeff Pitsch
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"Leythos" <void@nowhere.lan> wrote in message
news:b1Cof.193907$tD4.177811@tornado.ohiordc.rr.co m...
> In article <Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl>,
> Bill_Fields@azb.uscourts.gov says...
>> Hello.
>>
>> I have a customer who is having all kinds of problems w/ their current
>> VPN
>> connection. They're wondering if it would be acceptable to drop using the
>> VPN altogether and just open the necessary port(s) on their firewall to
>> allow Terminal Server connections. They do not need LAN access over the
>> internet, just terminal server connections.
>>
>> My initial reaction was "you always use a VPN, that's the secure way of
>> doing things", but since the TS client uses an encrypted connection,
>> doesn't
>> that generally give enough protection against sniffing?
>>
>> Comments? Obviously, I'm not a security expert...
>
> If you TRUST MICROSOFT to not have ANY holes in Remote Desktop, if you
> trust Microsoft to not have any unknown exploits, if you don't mind
> everyone and their brother being able to attempt a RD connection to your
> server, then it's fine to expose it.
>
> As a matter of security, we install a Firewall that also acts as a VPN
> endpoint and then only create accounts for Users that require VPN
> access, and don't integrate the Firewall with the AD structure - they
> get one user/password for the firewall and it's not the same as their
> domain users/password. Once they VPN into the network, the firewall rule
> for their firewall user, is permitted only TCP3389 to a single IP
> (either the Terminal Server or their desktop in the office). We never
> expose the LAN directly.
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

While some do use direct connection I prefer through a VPN particularly if
you can use l2tp which can require computer certificates so that computers
must authenticate before user credentials are even tried with certificates
from trusted Certificate Authorities. VPN also allows you to use Remote
Access Policies to further secure the VPN connection and decide what traffic
is allowed into the network with input/output filters. If direct connection
is used you can greatly reduce the risk by configuring the firewall to allow
connections to the port used for RDP [3389 TCP is default] from only
specific IP addresses which may not be possible if users roam or do not have
a static IP address. Either way make sure that users are forced to use
strong passwords. --- Steve


"William Fields" <Bill_Fields@azb.uscourts.gov> wrote in message
news:Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl...
> Hello.
>
> I have a customer who is having all kinds of problems w/ their current VPN
> connection. They're wondering if it would be acceptable to drop using the
> VPN altogether and just open the necessary port(s) on their firewall to
> allow Terminal Server connections. They do not need LAN access over the
> internet, just terminal server connections.
>
> My initial reaction was "you always use a VPN, that's the secure way of
> doing things", but since the TS client uses an encrypted connection,
> doesn't that generally give enough protection against sniffing?
>
> Comments? Obviously, I'm not a security expert...
>
> Thanks.
>
> --
> William Fields
> MCSD - Microsoft Visual FoxPro
> US Bankruptcy Court
> Phoenix, AZ
>
> ".dll hell - .rpm hell - whatever.
> The grass is always greener"
>
>
>
>
>
>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

In addition, for home users I both use and recommend RDP through a Secure
Shell (SSH) tunnel for added security. Plus you can access multiple RDP
hosts quite easily through the tunnel. Here is one way to do all of that...

http://theillustratednetwork.mvps.or...esktopSSH.html

- --

Al Jarvi (MS-MVP Windows Networking)

Please post *ALL* questions and replies to the news group for the mutual
benefit of all of us...
The MS-MVP Program - http://mvp.support.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights...

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932) - not licensed for commercial use:
www.pgp.com

iQEVAwUBQ6iQaRU2gKNumcJAAQii9wf/cMKjhprR5iswrS7gshhdKbHCbI/DJO2c
d/q4A6gbQyNt10Ko1AYBooAmLxHuMR1KKLi0h+bRK2PMmSt0xONp DX0utP4V5M+5
1hHF3uuh6oiHcvwCSX2dphzO3tUaANal5yJabWd1p0SP4Z6NIZ eJ0f9QduCJE+D9
H1g+sKDtiYYXHm5eewSOVBNxw/M1VDD3nonPax8bhoX6qD6Rlo06ar7Al1WJ9EhD
qxJJsDw165DDdJDn2nDAKLK9SlyAXbY+VI5E6DvYPNbxauck/+N4n5iTP7qomKMM
vG4ZbuX5un4h7YBzvZjS9huV+1emn8400i9GQnEftw6w5wCwOi jX5Q==
=jFxc
-----END PGP SIGNATURE-----

I'm totally new to this and so am liable to get confused about the
issues, but the OP did state that they were *considering* dropping the
VPN part of their setup, which includes a firewall. So they haven't
opened up anything (because they haven't changed their current
firewall/vpn config) and even if they did, they'd still have the
firewall in place.

As I said I'm a newbie to the topic at hand, so I'm even not sure that
what you said doesn't match the OP's question. I've read many posts by
you (Jeff) where the primary message seems to be "don't ever expose your
TS/LAN directly on the internet". I often can't tell exactly what you
mean by that; and this response of yours makes it even more confusing.
What exactly do you consider a safe TS config for use on the internet? I
really want to know. They only direct exposure I have is via TS behind a
cisco firewall that is also a vpn endpoint, with all clinet IP addresses
known. I am hoping that there is a safe way to deploy TS on the internet
that is less rigorous than that, but maybe there isn't.

In article <eCltpxmAGHA.140@TK2MSFTNGP12.phx.gbl>,
jeff@sbcgatekeeper.com says...
> I agree. they've opened a hole directly into their internal network. could
> they make a hackers job any easier? Most times they have to go through a
> firewall first but not with this company.
>
> Jeff Pitsch
> http://www.sbcgatekeeper.com
> Your Terminal Services Security Website
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:b1Cof.193907$tD4.177811@tornado.ohiordc.rr.co m...
> > In article <Op2aKrlAGHA.3928@tk2msftngp13.phx.gbl>,
> > Bill_Fields@azb.uscourts.gov says...
> >> Hello.
> >>
> >> I have a customer who is having all kinds of problems w/ their current
> >> VPN
> >> connection. They're wondering if it would be acceptable to drop using the
> >> VPN altogether and just open the necessary port(s) on their firewall to
> >> allow Terminal Server connections. They do not need LAN access over the
> >> internet, just terminal server connections.
> >>
> >> My initial reaction was "you always use a VPN, that's the secure way of
> >> doing things", but since the TS client uses an encrypted connection,
> >> doesn't
> >> that generally give enough protection against sniffing?
> >>
> >> Comments? Obviously, I'm not a security expert...
> >
> > If you TRUST MICROSOFT to not have ANY holes in Remote Desktop, if you
> > trust Microsoft to not have any unknown exploits, if you don't mind
> > everyone and their brother being able to attempt a RD connection to your
> > server, then it's fine to expose it.
> >
> > As a matter of security, we install a Firewall that also acts as a VPN
> > endpoint and then only create accounts for Users that require VPN
> > access, and don't integrate the Firewall with the AD structure - they
> > get one user/password for the firewall and it's not the same as their
> > domain users/password. Once they VPN into the network, the firewall rule
> > for their firewall user, is permitted only TCP3389 to a single IP
> > (either the Terminal Server or their desktop in the office). We never
> > expose the LAN directly.
> >
> > --
> >
> > spam999free@rrohio.com
> > remove 999 in order to email me
>
>
>

In article <MPG.1e1395672ccf39b3989999@msnews.microsoft.com>,
kiln@brick-like.com says...
> As I said I'm a newbie to the topic at hand, so I'm even not sure that
> what you said doesn't match the OP's question. I've read many posts by
> you (Jeff) where the primary message seems to be "don't ever expose your
> TS/LAN directly on the internet". I often can't tell exactly what you
> mean by that; and this response of yours makes it even more confusing.
> What exactly do you consider a safe TS config for use on the internet?

Any user outside of the OFFICE should FIRST connect via VPN and then
access the company resources - simple answer.

What this means is that no matter where you are, you need to VPN into
the office and then through the VPN tunnel you would open a Remote
Desktop session to the Terminal Server (still inside the company
network). This means that the ONLY exposure is through the VPN ports to
the VPN device in the office.

I personally never terminate the VPN's at the Server, I terminate them
at the Firewall Appliance and then have RULES that limit VPN users to
specific ports/IP in the company.

--

spam999free@rrohio.com
remove 999 in order to email me

Thanks for that response. What if the TS box is a dedicated unit at a
web host? IE, it's not really on a LAN, but is behind the web host's
firewall. I suppose that the unit could be considered to be on the web
hosts LAN, but it's not a regular corporate office LAN.

I think essentially you're saying that unless I am willing to have some
idiot rooting around on the TS box at will, and any lan it's connected
to, the formula should include TS properly configured, a firewall, and
vpn access. Is that right?

I'm not a network person so I don't have a lot of exposure. What's
interesting about this is that at the end of the day, a ts setup as
you've outlined would seem to be more secure than most websites that
deal with important matters (etrade, online banking etc), even if they
use https etc. No public websites use vpn/ip addresses. So it makes me
wonder, in my case, since there is no corporate lan at risk, is the vpn
needed? The server would contain data that is less sensitive than an
online bank.

In article <ezoqf.212576$tD4.7304@tornado.ohiordc.rr.com>,
void@nowhere.lan says...
> In article <MPG.1e1395672ccf39b3989999@msnews.microsoft.com>,
> kiln@brick-like.com says...
> > As I said I'm a newbie to the topic at hand, so I'm even not sure that
> > what you said doesn't match the OP's question. I've read many posts by
> > you (Jeff) where the primary message seems to be "don't ever expose your
> > TS/LAN directly on the internet". I often can't tell exactly what you
> > mean by that; and this response of yours makes it even more confusing.
> > What exactly do you consider a safe TS config for use on the internet?
>
> Any user outside of the OFFICE should FIRST connect via VPN and then
> access the company resources - simple answer.
>
> What this means is that no matter where you are, you need to VPN into
> the office and then through the VPN tunnel you would open a Remote
> Desktop session to the Terminal Server (still inside the company
> network). This means that the ONLY exposure is through the VPN ports to
> the VPN device in the office.
>
> I personally never terminate the VPN's at the Server, I terminate them
> at the Firewall Appliance and then have RULES that limit VPN users to
> specific ports/IP in the company.
>
>

In article <MPG.1e13c30bad53402198999a@msnews.microsoft.com>,
kiln@brick-like.com says...
> I'm not a network person so I don't have a lot of exposure. What's
> interesting about this is that at the end of the day, a ts setup as
> you've outlined would seem to be more secure than most websites that
> deal with important matters (etrade, online banking etc), even if they
> use https etc. No public websites use vpn/ip addresses. So it makes me
> wonder, in my case, since there is no corporate lan at risk, is the vpn
> needed? The server would contain data that is less sensitive than an
> online bank.

Ask yourself this - does your connection, firewall/vpn or not, have any
undisclosed or unknown holes that might allow the public to access some
part of the solution that you don't want them to access?

If you can not answer the question with a NO and feel 100% sure that
it's true, then you need to look at your exposure risk - what if someone
gets into the system and has complete access?

Why would you host a TS box at another location and not provide any
services?

--

spam999free@rrohio.com
remove 999 in order to email me

Your comments confuse me, and they are in the vein of other comments
here that don't make sense to me. I don't think any "connection,
firewall/vpn or not", is completley safe from penetration. Maybe there
are some websites etc that are completely and utterly invulnerable to
attack but I doubt it, as new exploits are always coming to light. Yet
the risk/benefit ratio must be acceptable, else half of the internet
would go away.

I don't understand why, as far as I can tell, you and others think TS on
the internet would only be acceptible if it was invulnerable to
penetration? What makes it different from any web server? That's why I
brought up etrade and online banks etc. There must be something behind
what you're saying but I can't figure it out. It sounds like you only
recommend using TS on internal LANS, unless it presents only anonymous
and uninteresting data?

You also said "Why would you host a TS box at another location and not
provide any services?" I don't understand that either. I think you are
referring to my statement than the ts box I'm talking about would not be
connected to an internal lan, it's be at an external web host's site.
That doesn't mean it does not provide any services? Right???

In article <cgxqf.219831$tD4.37575@tornado.ohiordc.rr.com>,
void@nowhere.lan says...
> In article <MPG.1e13c30bad53402198999a@msnews.microsoft.com>,
> kiln@brick-like.com says...
> > I'm not a network person so I don't have a lot of exposure. What's
> > interesting about this is that at the end of the day, a ts setup as
> > you've outlined would seem to be more secure than most websites that
> > deal with important matters (etrade, online banking etc), even if they
> > use https etc. No public websites use vpn/ip addresses. So it makes me
> > wonder, in my case, since there is no corporate lan at risk, is the vpn
> > needed? The server would contain data that is less sensitive than an
> > online bank.
>
> Ask yourself this - does your connection, firewall/vpn or not, have any
> undisclosed or unknown holes that might allow the public to access some
> part of the solution that you don't want them to access?
>
> If you can not answer the question with a NO and feel 100% sure that
> it's true, then you need to look at your exposure risk - what if someone
> gets into the system and has complete access?
>
> Why would you host a TS box at another location and not provide any
> services?
>
>