That would be great, but refer to the "but with those people who yes they exist that will not spend dollars on extra equipment; is this not good enough?"
Buying the licensing for 2008 for those that already have 2003, requires $$$ if it's a new scenario and if dollars are available then here we go. Also the more complicated you make it for end users, the more management and training on the back end has to be done. So they have more dollars to pay us to train them on the extra layers of protection for free options or lower cost options plus the $$$ for management of such things. Either way its more $$$$ out of their pocket and many no matter have clever, strong, sneaky you are will not part with it. SMB space is truly a wholly different animal than a traditional IT shop with dedicated man hours and a helpdesk. I came from that world, and it's not about what's practical and secure, it's how much money is in the bank account, and how much is leaving it..That simple.. Not right..just different.. Sorry I think I am taking away from the point of the email which is Bob is looking for alternatives. Greg From: Webster [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 5:17 PM To: NT System Admin Issues Subject: RE: Public TS - opinions? What about Server 2008 Terminal Services with TS Gateway? TS Gateway REQUIRES NAP and will install a local NAP if it doesn't see NAP on the network. Webster From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Subject: RE: Public TS - opinions? Correct me if I am wrong, but isn't RDP 128 bit encrypted, so what the main diff between that an hosting OWA or such. Either you are worried about 1. The ability to find a RDP hack which allows escalation 2. DOS on the server 3. You are worried about getting information breached during the transmission between the end users. I can see that SSL VPN or PPTP/IPSEC provides a significant layer of user security and prevents someone from banging on the server all day, but with those people who yes they exist that will not spend dollars on extra equipment; is this not good enough? 1. Long passphrases or strong passwords 2. Auto lock accounts after 5 - 10 attempts 3. Accept only 128 bit encryption 4. Prevent File transfer using RDP 5. Locking down TS with strong group policy restrictions. 6. Token, 3rd party authentication 7. Paper trail to Cover your butt and say I told you so. Many of us consultants cannot just be so dogmatic and say, this does not fit into an "ideal" security scenario so I am sorry but I cannot do work for you. As a note, we always start with the best "ideal" and then bring it down as we compete with other companies, but sometimes "ideal" just does not fit the budget. Obviously we are not going to place a server on a direct internet connection with no firewall, but there has to be a line that is more flexible for these organizations that do not have security officers, and standard policies that they will adhere to even if we wrote it for them. Greg From: Bob Fronk [mailto:[EMAIL PROTECTED] Subject: Public TS - opinions? I have a client that wants to keep a terminal server available publicly to be accessed from multiple sites where a VPN is not possible due to money and equipment constraints. The outside users just use the Remote Desktop and connect directly to the public IP. I feel this is a security risk. What is the groups opinion and what do you think is a good work around or ways to at least reduce the security problems? Bob Fronk ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
