Re: Terminal Services over a VPN

Hi Caroll,

Exposing the TS(RDP) port directly on the internet is very risky. These
would allow anybody to spin up a session on the TS box, which takes
significantly amount of resources (CPU and memory). Also, the attack surface
exposed this way is very big.
Regarding encryption: unless you use the new SSL connection protection
available in Windows 2003 SP1 (you need to install certificates and
configure it explicitly and also configure clients to require server
authentication), the connections will be vulnerable to Man-In-the-Middle
Attacks (active attacks that allow an attacker who can alter data on the
connection between server and client to completely intercept data on the
connection). Even if you enable SSL encryption/server authentication, it
will not mitigate the Denial of Service/attack surface concerns.

Thanks,
Costin

"Carroll McAllister" <carrollmcallister.nospam@xxxxxxxxxxxxx> wrote in
message news:uveXYU5SHHA.1180@xxxxxxxxxxxxxxxxxxxxxxx
We are running Terminal Services on a Windows Server 2003 SP1 server. We
are accessing the server remotely via a VPN connection from our remote
locations.

I understand that Terminal Services itself uses encryption to secure the
connection. That being the case, do we necessarily need to use a VPN to
connect to our server?

Of course, we have a static IP address that we connect to from the remote
locations.

If, as I believe, Terminal Services uses encryption for the connection
anyway, could I simply open the appropriate port on our main office's
router/firewall to forward the TS port to our Terminal Services Server?
The reason I'm asking this is I suspect doing so would slightly improve
our connection speeds between remote location and main office, making more
efficient use of our ADSL connection. In effect, we would no longer be
encrypting the connection twice, as Terminal Services would be the only
encryption mechanism.

Of course, doing this raises the security question: How secure would a
simple TS connection be via the public Internet? We are a dental office,
and aside from the normal security concerns about conducting business over
the Internet, we have the HIPAA act (Health Information Portability and
Accountability Act) to contend with regarding security of protected
patient information.

Thanks,

-=> Carroll McAllister <=-

coming to you "almost live" from Searcy, Arkansas


.

Relevant Pages

  • Re: Storing Username/Password problem
    ... double click the RDP-Tcp connection and look at the Logon ... MCSE, CCEA, Microsoft MVP - Terminal Server ... logged on with the credentials specified in Terminal Services ... Do you want each user to have their own account on the server, ...
    (microsoft.public.windows.terminal_services)
  • Re: Storing Username/Password problem
    ... It's set on a per-server basis, so that any incoming RDP connection to that server is logged on with the credentials specified in Terminal Services Configuration. ...
    (microsoft.public.windows.terminal_services)
  • Re: How to limit users
    ... Windows Server - Terminal Services ... >> Windows Server - Terminal Services ... >>>Terminal Services Client by just giving them the connection icon, ...
    (microsoft.public.windows.terminal_services)
  • Re: Performance of ODBC
    ... All communication between the application and your database happens on your ... Here's a link to the Terminal Services documentation at TechNet ... ... is most necessary) if I set up a server in the office. ... Usiing Access front-end to connection a back end ...
    (microsoft.public.access.adp.sqlserver)
  • Re: Cannot connect to Windows 2000 Server in remote administration
    ... create a new connection and choose "Microsoft RDP" as the ... MCSE, CCEA, Microsoft MVP - Terminal Server ... Utilizing the Terminal services manager on the serverin the left ... is RDP the connection type? ...
    (microsoft.public.win2000.termserv.apps)
Loading