Re: SBS2003 - Terminal Server - RWW too many steps
- From: "Cary Shultz" <cshultz@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 24 May 2008 22:29:32 -0400
Cris,
The decision to maintain them as a client is not mine to make. I really enjoy working with "at risk" clients but I must admit - generally speaking - that it can get frustrating. Especially when they do not let us do our jobs.
Anway, this has been discussed several times and I just recently put it to paper. If they do not decide to do something in the immediate future then we will put something 'more interesting' to paper.
Anyway, Thanks!
Cary
"Cris Hanna (SBS-MVP)" <crisnospamhanna@xxxxxxxxxxxxxxxxxxxxx> wrote in message news:OYpka%23fvIHA.3384@xxxxxxxxxxxxxxxxxxxxxxx
Is the revenue from this client so important to your business that its worth putting your business at risk?
Because when (and it is only a question of when) they get compromised for not following your recommendations, who do you think they are gonna blame?
And do you think they're gonna pay for the work you'll do to get them cleaned up, because they'll say you set it up incorrectly to begin with.
Otherwise, you put down in the writing the suggestions you've made and a statement that they acknowledge and accept the risk if they fail to implement your recommedations and agree to pay all charges associated with the work required to remediate any security breach.
--
Cris Hanna [SBS-MVP]
-------------------------------------------------
Microsoft MVPs
Independent Experts (MVPs do not work for MS)
Real World Answers
---------------------------------------------------------
Please do not contact me directly regarding issues
"Cary Shultz" <cshultz@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:eMYrJnfvIHA.516@xxxxxxxxxxxxxxxxxxxxxxx
KJ,
Again, in-line...
"kj [SBS MVP]" <KevinJ.SBS@xxxxxxxxxxxxxxxxxx> wrote in message
news:OCu9y5evIHA.4876@xxxxxxxxxxxxxxxxxxxxxxx
> Cary Shultz wrote:
>> KJ,
>>
>> in-line....
>>
>>
> <snip>
>>>
>>> 1 requires you to modify the listening port and add a redirect plus
>>> breaks RWW (note that internal users will also need to use the
>>> alternate port)
>>
>> So, as I expected, this would be a poor solution and would paint us
>> in a corner for things later down the road. I would not be
>> interested in that solution.
>>
>>
>>> 2 requires the same port redirect, does not require a listening port
>>> mod and doesn't break RWW.
>>
>> This sounds like the better solution as it does not break RWW. Which, to
>> the user base, is irrelevant. But, I do not want to remove
>> that as an option for things down the road. It is the guys in Sales
>> that have the problem with RWW. The "office guys" have no problem
>> with it....
>
> Better, but imo, short of "good".
>
>>
>>> Both have the same problem with RDP exposed. If you do so, make sure
>>> passwords are strong, changed often and you should be using the
>>> newest RDP clients with policies to require them.
>>
>> You are kidding, right! This client has not changed password in five
>> years and will not entertain that thought. Additionally, the
>> passwords are about as weak as you can expect....and there is little
>> to no chance of that changing, either.
>
> They are the client and it is their data. If you can scare the bejebas out
> of them should it be (when it will be) compromised by hackers or
> competitiors (ok, I like to use that to scare the sales and marketing
> types. it rarely happens in sbs land) you might get the owners to
> implement a decent security policy. Otherwise, hit them with all the
> scarey things and ask them to sign acknowledgements of bad and unsafe
> security practices.
KJ, this is something that we have yet to implement but is going to be
implemented next week when I make the change for Terminal Service access.
Going to outline our suggestions in writing and the changes that we are
making - at their request - and going to have a layout all the dangers.
Especially since they are absolutely not going to have any sort of password
security in place. This is a major concern for us but apparently not for
them. Like you said, it is their data and their network. Anyway, excellent
suggestion and something on which I have been working for the last couple of
weeks.
>> I know for a fact that they all have the latest version of the RDP
>> client because I just had all 16 of the laptops in my hands on Friday.
>>
>> As to a 'computer use policy' - we have been trying to get them to
>> implement one for the year that we have been managing them but that
>> is falling on deaf ears. But, with them that is not a surprise.
>> Unfortunately. I think, though, that we might be getting closer to
>> that. Ultimately, all we can do is consult and let them tell us what
>> they want to do. And then implement safegaurds to mitigate the
>> potential iss side-effects of their decisions!
>
> Risk is a scary thing if it's in your face all the time. Make it so. But
> it should be their risk not yours.
> Maybe start giving them a monthly report of failed RDP logins. Ought to
> get them thinking.
Actually, that is really good advice but, unfortunately, does not work with
them. They get tired of all the things that I suggest to them that might be
"less-than...".
>
>>
>>
> <snip>
>
>>>
>
> --
> /kj
>
- Follow-Ups:
- Re: SBS2003 - Terminal Server - RWW too many steps
- From: Cliff Galiher
- Re: SBS2003 - Terminal Server - RWW too many steps
- References:
- SBS2003 - Terminal Server - RWW too many steps
- From: Cary Shultz
- Re: SBS2003 - Terminal Server - RWW too many steps
- From: kj [SBS MVP]
- Re: SBS2003 - Terminal Server - RWW too many steps
- From: Cary Shultz
- Re: SBS2003 - Terminal Server - RWW too many steps
- From: kj [SBS MVP]
- Re: SBS2003 - Terminal Server - RWW too many steps
- From: Cary Shultz
- SBS2003 - Terminal Server - RWW too many steps
- Prev by Date: Re: Install Silverlight?
- Next by Date: Re: SBS2003 - Terminal Server - RWW too many steps
- Previous by thread: Re: SBS2003 - Terminal Server - RWW too many steps
- Next by thread: Re: SBS2003 - Terminal Server - RWW too many steps
- Index(es):
Relevant Pages
|
