On Thursday 08 February 2007 02:25, Simon James wrote: > In the absence of this additional measure, the things a hacker would need > to obtain or circumvent to gain access to a practice datafile are: > > 1. The practice routers external IP > 2. The port of the Terminal Services service on the router > 3. The Windows user password > 4. The practice software database password > > Of these, (3) is likely to be the strongest roadblock for a determined > hacker. > > My question is, does Terminal Services have any provision for more beefed > up security natively e.g. Certificates, dongles, MAC address restriction, > IP restrictions etc?
You have to understand the underlying problem first. You are mostly asking for authentication methods - but at least as important is protection of information in transit. MAC address restriction is not much of a protection, since it can be spoofed even by clueless amateurs, and at the same time it might lock you out yourself (unless you use MAC spoofing too) if you need to log in from a different NIC Dongles for remote login purposes are little else but memory aids for complex passwords. If unsecured traffic can be intercepted, it doesn't take long to gain the information on the dongle for "men in the middle" Under some circumstances, IP address spoofing is possible, but offers quite reasonable authentication protection otherwise at the cost of limiting your own login options drastically too (and requiring a static IP number from wherever you log in remotely, preventing mobile access) However, all these methods just participate in authenticating yourself to your system - but they do nothing to protect information in transit Let us assume you are with a major ISP. Let us assume this ISP also provides hosting services. Depending on subnet, anybody hosting with that ISP *may* be able to switch their (hosted) NIC into promiscuous mode and listen in to all traffic - because Ethernet is a *broadcasting* protocol, where information gets *broadcasted* to all NICs in the same subnet, and only *convention* prevents those NICs to whom the packets are not addressed not to listen in. This opportunity is somewhat reduced in fully switched networks, but many ISPs with hosting services still use the much cheaper hubs instead. That means that unless your traffic is strongly encrypted, there will be plenty of people potentially able to listen to your network traffic; to capture it entirely, and decrypt it at their leisure too. And once they have done that, they will known everything about your authentication too. Microsoft has been known to artificially cripple a number of otherwise quite decent security protocols by artificially and needlessly limiting the key space by orders of magnitude (ie discarding non-printable characters and converting all characters to capitals of a password entered) for the sake of a "better user experience". I don't know what MS is using to protect their TS traffic - never will use it anyway, UNIX systems offer so much superior remote access methods - but if I was you I would check very, very carefully before I would forego a tried and proven system such as ssh tunneling Horst _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
