What about Server 2008 Terminal Services with TS Gateway? TS Gateway REQUIRES NAP and will install a local NAP if it doesn't see NAP on the network.
Webster From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Subject: RE: Public TS - opinions? Correct me if I am wrong, but isn't RDP 128 bit encrypted, so what the main diff between that an hosting OWA or such. Either you are worried about 1. The ability to find a RDP hack which allows escalation 2. DOS on the server 3. You are worried about getting information breached during the transmission between the end users. I can see that SSL VPN or PPTP/IPSEC provides a significant layer of user security and prevents someone from banging on the server all day, but with those people who yes they exist that will not spend dollars on extra equipment; is this not good enough? 1. Long passphrases or strong passwords 2. Auto lock accounts after 5 - 10 attempts 3. Accept only 128 bit encryption 4. Prevent File transfer using RDP 5. Locking down TS with strong group policy restrictions. 6. Token, 3rd party authentication 7. Paper trail to Cover your butt and say I told you so. Many of us consultants cannot just be so dogmatic and say, this does not fit into an "ideal" security scenario so I am sorry but I cannot do work for you. As a note, we always start with the best "ideal" and then bring it down as we compete with other companies, but sometimes "ideal" just does not fit the budget. Obviously we are not going to place a server on a direct internet connection with no firewall, but there has to be a line that is more flexible for these organizations that do not have security officers, and standard policies that they will adhere to even if we wrote it for them. Greg From: Bob Fronk [mailto:[EMAIL PROTECTED] Subject: Public TS - opinions? I have a client that wants to keep a terminal server available publicly to be accessed from multiple sites where a VPN is not possible due to money and equipment constraints. The outside users just use the Remote Desktop and connect directly to the public IP. I feel this is a security risk. What is the groups opinion and what do you think is a good work around or ways to at least reduce the security problems? Bob Fronk ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
