Re: Publish Terminal Server on Internet
- From: "Dave Dopson [MSFT]" <ddopson AT microsoft.com>
- Date: Tue, 10 Oct 2006 14:00:17 -0700
That solution is precisely as secure as your Terminal Server. If you have secure passwords and good security and patching practices, then Windows can be made to be very secure. I have my personal machine at home exposed on the internet, and I do just fine.
The only caveat with TS is that it is relatively easy for an unauthenticated user to consume server resources displaying logonUI dialogs. This is not a security threat in the normal sense, and will not result in your machine being comprimised, but for a comparatively small ammount of attack resources, a comparatively large amount of server resourses are consumed. This issue is being addressed in Longhorn with the Network Level Authentication solution.
-- Dave
"maitakeboy" <maitakeboy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:FF07165E-2B34-4171-BFB5-1C57519343EF@xxxxxxxxxxxxxxxx
How much of a security hole is that? Of course I have only certain users
setup to be able to access the Terminal Server. Is that sufficient or am I
really asking for trouble doing the way you suggest. I thought I could do it
that way, but was concerned about the security. The again, I didn't want some
solution that was going to take a $5000 investment, either.
"Justin Thyme" wrote:
On your firewall create a incoming port-forwarding rule to your internal
terminal server, using port 3389 (RDP Connection).
From an XP client anywhere on the internet open the RDP Client
(Accesories->Communictations->Remote Desktop Connection)
Type the address of your firewall's external interface.
That should do it.
Optional:
Change the port number for the RDP listener on your internal TS Server to
any number (i.e. 8765 or something else)
On the port forwarding rule indicate this port rather then the 3398.
On the XP RDP client type the firewall external interface address followed
by a colon, then the port number you have assigned to the port-forwading
rule.
ie.
132.10.10.10:8765
That should do it.
"Patrick Rouse" <PatrickRouse@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C87CC696-9248-4027-A2F4-AD8661DCF7CB@xxxxxxxxxxxxxxxx
> Sure. The Remote Desktop Web Connection (RDWC) is free and can be
> installed
> on any server with IIS. This provides a webpage to deliver the ActiveX
> Remote Desktop Client and connection configuration, i.e. which > server(s)
> to
> connect to, screen resolution, devices enabled...
>
> It doesn't add any security pas what is built-in to the terminal server
> service, but it's free. You'd have to open port 3389 to your internal
> Terminal Server, and the RDWC can be installed on a public or internal > web
> server. Users connect to the RDWC on port 80, download the RDP Client > (on
> the
> first connection) and then connect directly to the terminal server. > There
> is
> no interaction between the IIS server and the Terminal Server, as IIS > is
> just
> the delivery mechanism for the RDP Client.
>
> The RDWC is built into Server 2003 and can be downloaded for free on > other
> versions.
>
> http://www.sessioncomputing.com/downloads.htm
>
> There are zillions of public sites to look at for examples of what can > be
> done if you want to customize your page. Here's an example I found > with
> Google:
>
> http://www.motorplan.net/Sito/RGN/RGN/RgNet.htm
>
> -- > Patrick Rouse
> Microsoft MVP - Terminal Server
> http://www.sessioncomputing.com
>
>
> "maitakeboy" wrote:
>
>> Thanks for the info, Patrick. Is it at all possible to do this with >> the
>> hardware setup I mentioned before. Buying another piece of equipment >> may
>> not
>> be an option right away.
>>
>> "Patrick Rouse" wrote:
>>
>> > The simplest really secure way to do this is to put a SSL VPN in a >> > DMZ.
>> > Vendors like AEP Networks have a really slick device w/ built-in >> > Web
>> > Interface, support for secondary authentication, PDF Universal >> > Printer,
>> > optional load balancing... Online demo here:
>> >
>> > https://demo.netillavo.com
>> >
>> > There are lost of similar devices, but this is the one I like. You >> > can
>> > use
>> > these with your current firewall.
>> >
>> > http://www.sessioncomputing.com/add-on.htm#security
>> >
>> > -- >> > Patrick Rouse
>> > Microsoft MVP - Terminal Server
>> > http://www.sessioncomputing.com
>> >
>> >
>> > "maitakeboy" wrote:
>> >
>> > > OK, here's a newbie question. What is the reccommended way to make >> > > a
>> > > Terminal
>> > > Server available over the Internet? What is the simplest, secure >> > > way
>> > > of doing
>> > > this?
>> > > I presently use the Terminal server internally as we have remote
>> > > sites
>> > > connected by WAN and some applications that don't run over the T1. >> > > I
>> > > have
>> > > some smaller sites and individuals who are not connected to the
>> > > network who
>> > > could use this function better, as opposed to a gotomyPC account, >> > > or
>> > > something like that.
>> > > I have a Netscreen 50 firewall/vpn, though I don't make any use of
>> > > the vpn
>> > > capability much anymore, as it was an administrative headache.
>> > > Any help would be greatlt appreciated
.
- Follow-Ups:
- Re: Publish Terminal Server on Internet
- From: Raymond Diack
- Re: Publish Terminal Server on Internet
- References:
- Re: Publish Terminal Server on Internet
- From: maitakeboy
- Re: Publish Terminal Server on Internet
- Prev by Date: Re: Roaming Profiles
- Next by Date: Re: Problem with a new win2003 RC2 Terminal server install
- Previous by thread: Re: Publish Terminal Server on Internet
- Next by thread: Re: Publish Terminal Server on Internet
- Index(es):
Relevant Pages
|
