RE: [FW1] Microsoft Terminal Server Concerns

Dean Cunningham Sun, 09 Jul 2000 04:02:09 -0700

To allow terminal server to work you need to open up one port in.
Terminal server  gives you the same functionality as a NT workstation (well
server actually) on your internal network. Think of it as a GUI multi user
system, like say x-windows on  a unix box.
Telnet is installed by default on NT workstation/server, but can obviously
be uninstalled.

If the dialup is on one interface on the firewall and assuming the rest of
teh wprld is on another interface,  then it is only the people who can
authenticate ok against the dialup that are of a security concern. Do you
have some details on what you are using there, some people on the list may
be able to comment on the suitability of the product

If you can define what is required to be accessed remotely, then there may
be better , more secure ways to implement it rather than TS.

regards
dean cunningham



> ----------
> From:         [EMAIL PROTECTED][SMTP:[EMAIL PROTECTED]]
> Reply To:     [EMAIL PROTECTED]
> Sent:         Saturday, 8 July 2000 10:24 AM
> To:   ''Fw-1-Mailinglist (E-mail)'
> Subject:      RE: [FW1] Microsoft Terminal Server Concerns
> 
> 
> I probably should have been clearer, the dialup is on an interface of the
> firewall.  To allow Terminal Server access, I would have to allow it
> through
> the firewall.
> 
> I guess I was thinking of concerns that the firewall no longer controlled
> what people were allowed to do and that that responsibility would now fall
> on the Terminal Server machine.  Now I don't know a lot about Terminal
> Server, but, as I understand it, if the Terminal Server machine allowed a
> user to access other machines/applications/etc in your network, then there
> might be a concern as to the size of hole you have opened.
> 
> I guess what I envision is: say the Terminal Server allowed you to telnet
> to
> other servers (I don't know if TS can allow telnet or not), since I don't
> allow anyone to telnet in from a dialup connection, TS has now become a
> security threat since the firewall rules have basically been bypassed.
> 
> 
> -----Original Message-----
> From: Kevin Lundy [mailto:[EMAIL PROTECTED]]
> Sent: Friday, July 07, 2000 4:42 PM
> To: Tucker, Greg; ''Fw-1-Mailinglist (E-mail)'
> Subject: RE: [FW1] Microsoft Terminal Server Concerns
> 
> 
> Well actually this is not much of a FW1 concern - but a general network
> security concern.  Do you want to allow dialup access into your network,
> behind your firewall?  If so, are you will to risk your network security
> on
> MS authentication?
> 
> The dial up is basically a back door around your firewall.
> 
> Depending on what you need to accomplish with the TS, I would suggest at
> least putting it in a DMZ.  Even better to make it a standalone system
> (ie,
> not a domain member).  But that probably would defeat the purpose of the
> request.
> 
> > -----Original Message-----
> > From:       [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> > Sent:       Friday, July 07, 2000 5:16 PM
> > To: ''Fw-1-Mailinglist (E-mail)'
> > Subject:    RE: [FW1] Microsoft Terminal Server Concerns
> >
> > I hate to make assumptions, but can I assume that since no one responded
> > to this, that nobody has any concerns???
> >
> >     -----Original Message-----
> >     From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > Tucker, Greg
> >     Sent: Wednesday, July 05, 2000 1:58 PM
> >     To: ''Fw-1-Mailinglist (E-mail)'
> >     Subject: [FW1] Microsoft Terminal Server Concerns
> >
> >
> >     I've had a request to allow dial-up access to Microsoft Terminal
> > Server.
> >
> >     Can anyone list concerns, or point me to a sight the discusses what
> > security issues to be concerned about when allowing this capability?
> >
> >     Thanks.
> >
> 
> 
> 
> ==========================================================================
> ======
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
> 
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] Microsoft Terminal Server Concerns

Reply via email to
