Re: TS Security Issue

1. Good password policy.
2. VPN is fine for site-to-site connections, but a PITA for mobile users
who may be connecting from a network where VPN traffic is NOT allowed.
3. Preferred methods of further securing RDP or ICA are via SSL Gateway or
SSL VPN, and secondary authentication (if you're dealing with financials of
national security)
4. Like Jeff, I'm wondering why your ASP is complaining about password
security, when they control the hardware and can define the password policy
and acceptible connection methods (unless they're contractually obligated to
allow you to connect however you want).

Here's a pretty big list of product that can be used to further secure
terminal servers:
http://www.sessioncomputing.com/add-on.htm#security

--
Patrick Rouse
Microsoft MVP - Terminal Server
http://www.sessioncomputing.com


"Jeff Pitsch [MVP]" wrote:

I'm still confused on what they expect you to do. Since they are the ones
that own and operate the servers, they should have this already setup and
working. What do they expect you to do with THEIR servers? Are they going
to let you implement whatever you want on their servers? Seems a little
ridiculous to me that they expec tyou to secure their servres.

Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"AndreZ" <shmoes@xxxxxxxxxxx> wrote in message
news:ObJdz1KPGHA.456@xxxxxxxxxxxxxxxxxxxxxxx
I guess they have a higher level of paranoia then I, maybe I'm not being
paranoid enough? I don't really know..

What do you think of the measures in place?

They have given me a suggestion (as mentioned earlier), but i felt it to
restrictive. They've also suggested the token ring password things, but I
don't believe that's a cost effective measure either..

I'm just looking for options at this point..

"Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:Xns9778DC5B5C39Fveranoesthemutforsse@xxxxxxxxxxxxxxxx
What is it they want then, smart cards, finger prints, or something
similar? If they are not satisfied, at least they should be able to
say *what* would be satisfying?
And how come that the ASP is concerned about *your* data, while you
obviously feel that your security is OK? Is it their business at
all? I'm just as confused as Jeff is.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
SQL troubleshooting: http://sql.veranoest.net
___ please respond in newsgroup, NOT by private email ___

"AndreZ" <shmoes@xxxxxxxxxxx> wrote on 28 feb 2006 in
microsoft.public.windows.terminal_services:

They're concerned not only for other clients, but for the data
they hold for us as well.. with our username/password being our
only security to the TS, someone being able to get through that
login would have access to that server automaticly..

so what i've done is i've restricted login attempts to 3 for a
thirty minute lockout .. as well as set a password character
minimum .. but they don't feel that is enough..




"Jeff Pitsch [MVP]" <jeff@xxxxxxxxxxxxxxxxx> wrote in message
news:eXYPQpJPGHA.3864@xxxxxxxxxxxxxxxxxxxxxxx
I guess I"m missing something becaues I don't understand what
the issue
is.
Are they concerned about the tunnel or single users having
acces? why
can'
they simply segment their network so no companies can access
each other?

Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website


"AndreZ" <shmoes@xxxxxxxxxxx> wrote in message
news:u2lTTmJPGHA.3264@xxxxxxxxxxxxxxxxxxxxxxx
Yes, they're giving us a site to site tunnel.. Unfortunatley,
getting a new
ASP is not an option, the management team has already signed
agreements, as
they're also the developers of the application we will be
using.


"Jeff Pitsch [MVP]" <jeff@xxxxxxxxxxxxxxxxx> wrote in message
news:%23ke46gJPGHA.3888@xxxxxxxxxxxxxxxxxxxxxxx
So let me get this straight, because they do not know how to
implement
a
secure network that is somehow your problem? I would
seriously think
about
getting a different ASP.

Or am I misunderstanding something. they are allowing you
to have a
site
to
site vpn tunnel correct? the ASP should easily be able to
segment each customer without any interference.

Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"AndreZ" <shmoes@xxxxxxxxxxx> wrote in message
news:O8iiVTJPGHA.3360@xxxxxxxxxxxxxxxxxxxxxxx
well, they claim they have security between our
information and other customer information, the problem
they have is our "mimimal" security measure (as they put
it) allows a user access to thier network, which is
a
huge security bypass. They've made a suggestion to require
remote TS
users
to have a VPN connection before they're allowed to TS into
the server ..
effectively disallowing any direct remote connection to
the TS
server..
the
problem I have with that is that limits the sales reps to
the
computers
they
have .. and they don't have the technical knowledge to
setup a VPN on
the
fly.



"Jeff Pitsch [MVP]" <jeff@xxxxxxxxxxxxxxxxx> wrote in
message news:%23a%233mnIPGHA.2012@xxxxxxxxxxxxxxxxxxxxxxx
Isn't hte ASP in control of the security to their
servers? Why
aren't
they
telling you how they want it done instead of leaving it
up to you?
I
guess
I'm confused on how your supposed to make it more secure
when the
servers
are on their end and in their control.

Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"AndreZ" <shmoes@xxxxxxxxxxx> wrote in message
news:%23tUOciIPGHA.3144@xxxxxxxxxxxxxxxxxxxxxxx
Ok, so here's the deal .. we're going to be using a new
application
which
will be hosted by an ASP, we will have access to that
ASP via a
VPN
allowable from our location only. The problem the ASP
has is because
our
only security is username/password to log into the TS
server they
don't
feel
that's enough protection for thier exsisting clients.

I'm not sure really what else to do at this point to
secure it.. One
thing
I can think of is being able to identify the difference
between a
user
that's on TS on-site and a user that's on TS remotely
.. then we
could
possibly restrict the VPN accordingly.. I'm just not
sure how it
would
be
done..

Or if anyone else has other ideas, i'm open to listen
to anything
at
this
point.

Thanks.





.

Relevant Pages

  • Re: TS Security Issue
    ... What do they expect you to do with THEIR servers? ... Your Terminal Services Security Website ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: Server 2003 and RDC - local login gets locked
    ... Microsoft MVP - Terminal Services ... Your Terminal Services Security Website ... Servers is connected to a KVM system that we need to replace. ...
    (microsoft.public.windows.terminal_services)
  • Re: "Server Too Busy" Message.
    ... As far as licensing, we ... are in Admin mode and no one can make a connection at all, ... When I go to the Terminal Services Manager, ... >> This problem is occuring on two of our servers, ...
    (microsoft.public.win2000.termserv.clients)
  • Remote Desktop through PPTP
    ... I am having trouble connecting to client's SBS server using Terminal Services over VPN from an XP pro box. ... When accessing those services that I am able to there is plenty of activity / bytes sent & received over the vpn session but when I use RDP the activity is over the LAN connection only. ... In fact, I've just tested this to other clients' servers, all over VPN, and the results are the same. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: User cannot RDP to 2k3 server
    ... Your Terminal Services Security Website ... > indicates there should be on the servers I cannot access. ... >> Your Terminal Services Security Website ...
    (microsoft.public.windows.terminal_services)