Correct me if I am wrong, but isn't RDP 128 bit encrypted, so what the main diff between that an hosting OWA or such. Either you are worried about
1. The ability to find a RDP hack which allows escalation 2. DOS on the server 3. You are worried about getting information breached during the transmission between the end users. I can see that SSL VPN or PPTP/IPSEC provides a significant layer of user security and prevents someone from banging on the server all day, but with those people who yes they exist that will not spend dollars on extra equipment; is this not good enough? 1. Long passphrases or strong passwords 2. Auto lock accounts after 5 - 10 attempts 3. Accept only 128 bit encryption 4. Prevent File transfer using RDP 5. Locking down TS with strong group policy restrictions. 6. Token, 3rd party authentication 7. Paper trail to Cover your butt and say I told you so. Many of us consultants cannot just be so dogmatic and say, this does not fit into an "ideal" security scenario so I am sorry but I cannot do work for you. As a note, we always start with the best "ideal" and then bring it down as we compete with other companies, but sometimes "ideal" just does not fit the budget. Obviously we are not going to place a server on a direct internet connection with no firewall, but there has to be a line that is more flexible for these organizations that do not have security officers, and standard policies that they will adhere to even if we wrote it for them. Greg From: Bob Fronk [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 4:35 PM To: NT System Admin Issues Subject: Public TS - opinions? I have a client that wants to keep a terminal server available publicly to be accessed from multiple sites where a VPN is not possible due to money and equipment constraints. The outside users just use the Remote Desktop and connect directly to the public IP. I feel this is a security risk. What is the groups opinion and what do you think is a good work around or ways to at least reduce the security problems? Bob Fronk This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Davis H. Elliot Company . Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
