Re: Remote Desktop Connection

From: Chad A. Gross [SBS MVP] (chad.gross_at_laytonflower.nospam.com)
Date: 04/26/04 

Date: Mon, 26 Apr 2004 15:26:24 -0500

Hi Al -

This a pretty decent debate. It all depends on how secure you want to be -
and what you consider an acceptible risk. By enabling TS over the internet
you expose a primary domain logon capability. One method that many of us
use is to enable VPN access into the network, then run TS over the VPN
tunnel. This can be beneficial as VPN doesn't expose a primary domain logon
like TS does. 

-- 
Chad A. Gross - SBS MVP
SBS ROCKS!
www.msmvps.com/cgross
Al wrote:
> Hi - sorry to be asking so many questions tonight.
>
> I am to maintain an SBS2003 server, and have been playing and finding
> out how it all works.  I had terminal Services switched on in my
> forewall, which allowed me to access the server from my home in the
> evening and make changes etc etc.
>
> Our consultant was in today, and recomended that it was switched off,
> as a security measure, but which stops me using RDC
>
> Two questions
>
> Is there a security issue with Terminal Services activated  and If
> so, is there another Way for me to access the server for admin duties?
>
> thanks
>
> Alex

Relevant Pages

  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)
  • Re: Securing against an internet based intrusion
    ... trying to access your computer via a server service such as file and print ... his "computer" could not authenticate to your VPN. ... our current security in reply to Lanwench's post. ... You can use Local Security Policy in XP Pro only ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Allowing internet access in Terminal sessions...
    ... It's up to you on the amount of pain you want to give your users but there are easier ways of controlling those things you want which is through proper zone configuration. ... Microsoft MVP - Terminal Services ... will it allow scripts etc to be run by users on the server? ... Explorer 7 security is set to MEDIUM-HIGH on servers, and anytime a user will try to access a web site, they will get the "Content being blocked" pop-up and have to CLOSE or ADD the sites they are trying to view. ...
    (microsoft.public.windows.terminal_services)
  • Re: Routing and Remote Access - Authentication Failure
    ... because the real client computer can tunel through it's local NAT router, ... travel the Intrenet, join the VPN and access the server, when this feature ... Their security system decided that the server was trying to steel ...
    (microsoft.public.windows.server.networking)