We have a similar setup here. It simplifies FW rules (as we have well over 1000 firewalls) We use certificates to login – so even if end user machines are compromised, it makes it very difficult for malware to steal credentials from RDS box Provides a central point of auditing
Cheers Ken From: Richard Stovall [mailto:[email protected]] Sent: Wednesday, 29 February 2012 9:59 AM To: NT System Admin Issues Subject: Re: Log on to DC directly <da> If the machine you're using to launch the RDP sessions is compromised, what's the point? If you trust that machine, why not just run the tools directly from it? </da> On Tue, Feb 28, 2012 at 8:47 PM, Ben Scott <[email protected]<mailto:[email protected]>> wrote: On Tue, Feb 28, 2012 at 6:54 PM, Kurt Buff <[email protected]<mailto:[email protected]>> wrote: > One other thing that I've been mulling over along with the other > credentials is a set of VMs on which to run them. Want to manage > AD/DNS/WINS/CA? RDP into this Win7 VM with the correct tools on it. > Want to manage AV/WSUS/other workstation stuff? Log into that Win7 VM > over there with those tools on it. Lather, Rinse, Repeat. Then my > laptop would be just another end-user station, with much reduced > chances of getting my elevated credentials compromised. Hmmm. Interesting idea. Definitely some advantages. You mention RDP. So does that mean a bunch of VMs running all the time on some other box somewhere? If not, why RDP? If yes, are those VMs all shared between the admin team, or are they dedicated to one body? If the former, how do we handle contention? If the later, why not just run them on one's own end-user station? Questions posed for mulling purposes. :-) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
