I don't find implementing IPSEC troublesome, It can be easily configured from GP and CA... Encryption for user-crentials/data access can be easily achieved with this feature Microsoft has provided (Don't need to take any extra licenses)
If you are not happy with passwords, increasing the windows minimum password length might help and then in that case you can insist on users to use pass phrases... Not really sure if you want users to RDP into your windows servers.. 'cos for accessing/sharing files, RDP would not be ideal as you might end up giving access to other parts of the server (like OS, services etc) which is not the requirement here. Thought this might help as you don't need to invest anything extra... Kind regards Tima -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Harrison Sent: Tuesday, January 02, 2007 8:16 PM To: [email protected] Subject: RE: Secure Remote access - windows 2003 ------------------------------------ Authentication should be strong. Something more than a password. [ No budget for RSA securiD :-))) ] - W2K3 SP1 RDP can be configured for certificate authentication, adding server; not just client authentication to the mix. This goes a looong way toward removing the RDP MITM threat that so many have feared. Encryption for user-crentials/data access - Same answer here; with certificate auth, you also get SSL encryption of the whole session, from logon to logoff. Options considered ---------------------------------- I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is not simple and also you require Application Mode license. - L2TP, IPSec and RDP v6 (required for cert auth) would all require changes at the client machine. All provide the additional security (and inconvenience) of limiting access to hosts configured for each protocol. IPSec and L2TP (or PPTP, for that matter) are harder to spread across clients because they all require specific configuration knowledge. RDP needs only the v6 client (KB 925876). - TS App Mode is required for more than 2 concurrent users. File copy across the RDP channel is not related to TS App Mode. The number of remote users - less than 100 - More than 3 concurrent users (including console) requires TS App Mode. Cost effective , easy to implement and easy to manage solution sought - the only management difficulty presented by App Mode is licensing and user education. Otherwise, it's "just an RDP connection" that inherits all the rights & privileges of that user account. Contrary to urban myth, adding users to the Admins group is *not* required for TS access to a machine. Jim -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dubaisans dubai Sent: Monday, January 01, 2007 8:17 PM To: [email protected] Subject: Secure Remote access - windows 2003 I am planning to provide remote access from Internet to a windows 2003 domain controller.User-ids, NTFS permissions are all configured. The objective is file sharing and access. Files will need to be copied. The machine has valid Internet IP address and is sitting behind a Firewall. I would like to keep solution independent of Firewall.This will be accessed by roaming users. I am thinking of something like 0penssh for windows or maybe just GUI based Secure-FTP Challenges I am facing ------------------------------------ Authentication should be strong. Something more than a password. [ No budget for RSA securiD :-))) ] Encryption for user-crentials/data access Options considered ---------------------------------- I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is not simple and also you require Application Mode license. The number of remote users - less than 100 Cost effective , easy to implement and easy to manage solution sought All mail to and from this domain is GFI-scanned.
