> -----Original Message-----
> From: Sean Faust [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 04, 2001 2:31 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Xtreme Security
>
>
> I certainly hope that if I am ever brain dead and screw up
> like that you
> guys don't latch on to it.
>
>
> Question: Rather stupid but I must ask: Giving a Win2k
> server a public
> address and running terminal server on it. How dangerous
> will it be to not
> put it behind a firewall?
Well, it'll depend on what else is running on that server :-). Win2K
installs alot of things by default, and some (haha) may be
exploitable.
That said, a packet filtering firewall doesn't do anything to improve
the security of the terminal services. Once you open up 3389 for RDP,
anything that can be exploited via 3389 or the desktop session will be
open anyways. All the packet filtering does is protect you against
exploits against other services you may be running (and if you just
did the default install of win2k, you're probably running a bunch.)
And as far as I know, there is no application proxy for Win2K terminal
services. Using a generic plug will simply allow all data to be sent
forth without checking it, so you get little benefit there.
Now, a bigger danger is probably putting the Win2K terminal server on
a shared segment with internal servers and workstations. And of
course, the biggest danger lies in not adequately protecting against
the users of your terminal servers doing nasty things. Many
vulnerabilities which you might disregard in a single user environment
because they require that the user log in locally to exploit become
huge risks in a multi-user server, where all users have that right.
Henry
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
