Re: SBS2003 and Terminal Services....
From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 02/20/05
- Next message: Lanwench [MVP - Exchange]: "Re: Multiple account in one Exchange 2003 profile"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Move SBS 2000 to a new hardware and different domain."
- In reply to: Per W.: "Re: SBS2003 and Terminal Services...."
- Next in thread: Henry Craven [SBS-MVP]: "Re: SBS2003 and Terminal Services...."
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 20 Feb 2005 15:14:18 -0800
SA loads so low in the TCP stack to not be an issue and protects the box
before the gunk hits there [Steve Riley/Jesper Johansson, Protecting
your Windows Network, Addison Wesley, Preorder now]
I'm NOT wacking off the Enhanced IE protection on a server and allowing
someone to surf like they need to do on IE and get that Domain
controller wacked by malware.
It's not more money dude.... geeze we ASKED Microsoft to be more secure
and then you guys want insecurity back. Nice going how much you care
about the security of your clients.
AND EXCUSE ME this is a family newsgroup and mind your language.
Here is the listing of recommended steps to lock down a TS box
1. Apply the Notssid.inf security template to TS running permissions
compatible with TS users.
2. Use the AppSec tool to limit which applications can be executed.
3. Do not enable remote control.
4. Do not enable application server mode on a domain controllers.
To connect to a terminal server from the network, users must have the
Log On Locally user right assigned. If you implement application server
mode on a domain controller, nonadministrators must be assigned the Log
On Locally user right at the domain controller. Because this user right
is typically assigned in Group Policy, it enables users to log on at the
console of any domain controller in the domain, greatly reducing security.
5. Implement the strongest available form of encryption between the TS
client and server
6. Choose the correct mode for your TS deployment [if you only need
remote administration, the only deploy that]
7. Install the latest service pack and security updates.
Don't want to do #1, nor #2, on our SBS boxes, and we clearly are in
violation of #4.
Page 393-394 Security Resource Kit.
- Next message: Lanwench [MVP - Exchange]: "Re: Multiple account in one Exchange 2003 profile"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: Move SBS 2000 to a new hardware and different domain."
- In reply to: Per W.: "Re: SBS2003 and Terminal Services...."
- Next in thread: Henry Craven [SBS-MVP]: "Re: SBS2003 and Terminal Services...."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
