Yes, the work I am doing is "on the side" work for a small 8 user network. Money is an issue, so I have to work with what they have.
They need TS support to a couple external users for non-domain PC access. I hesitate at VPN because the external PCs are out of my control and could potentially cause infection of the network. At least with TS I can prohibit drive mapping, etc. I have taken precautions, such as renaming administrator and forcing more complex passwords with frequent expiration and extended last used times. 3 attempts locks the account and needs administrator attention for unlock. I will look at changing the port and will also finish reading the rest of the responses to my initial request. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 6:02 PM To: NT System Admin Issues Subject: RE: Public TS - opinions? Ben I agree with you about where the weakness lies. Let me say its forums like this where we gain the most benefit from those that have vast experience and we are able to flesh out these issues. It's a privilege to be a part of this group. I understand the encryption part of things. Encryption is just part of the whole picture, you don't paint a picture without the paint, and that's all it is. One color of the picture. I was just making a case for the use of a ssl website vs rdp in terms of public exposure. Same exposure, same encryption, same problems, but we still do it for the business need. Remember who we are talking about, SMB space, until a SMB solution that does not drive a 10 person or under network over 10k for these "add-ons" it's simply not going to happen. They want bang for the buck, and they surely won't sit down in a sales pitch and let you scare them to death as to the why you have to do it. Some will, but most surely do not. The end point side is absolutely valid and where I personally feel where 80% of most problems are going to be in the near future, if not already. Problem is that this has the same effect whether you are dealing with this, a managed VPN, PPTP, IPSEC, whatever the transport is. Then typically you have HUGE holes open between networks instead of bringing it down to just one attack surface. Like you pointed out Ben there is no real 100%, but depending on the policies in place, (near non existent in SMB's, nor will they pay for it initially), budget available (hahah, SMB's hardly ever spent budget dollars just because they may lose it the next year like Corps do) we work to provide them a relatively secure, cost effective, and value adds to their business. As we earn trust and understanding these concepts are easier for them to digest since we already have a relationship in place, but it ALWAYS comes down to dollars, never a budget, what is leaving my wallet as a result of what you are saying, and how is it going to put money back in to replace it or prevent against more leaving. Arguably the last point is where I stand my ground, but sometimes it's not enough. They are just different waters we navigate in the same big ocean. Greg -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 01, 2008 5:34 PM To: NT System Admin Issues Subject: Re: Public TS - opinions? On Tue, Apr 1, 2008 at 5:09 PM, <[EMAIL PROTECTED]> wrote: > Correct me if I am wrong, but isn't RDP 128 bit encrypted ... Gah. Encryption isn't like horsepower. Comparing key sizes doesn't tell you how secure something is. And you can't make something secure just by sprinkling a little cryptology on it. In particular, the size of the session key doesn't matter when there's no host authentication at all, and user authentication is done via a password that's probably got about 10 to 20 bits of entropy if you're lucky. And is probably the user's last name if you're not. Google "man in the middle attack" for just one scenario. But even then, I'd be a lot more worried about the end-points. Most compromises have come from the end-points, not the transport. We're talking about allowing connections from unknown, untrusted, arbitrary clients. Most of which probably already have some kind of malware on them. Keystroke loggers would be especially scary. And can the secondary channels that RDP uses for things like remote printing act as a conduit for malware to the server? > 6. Token, 3rd party authentication Aren't two-factor authentication products also rather expensive? Certainly more-so than, say, OpenVPN, or even the IPsec stuff built-in to Windows, no? That said, the rest of your recommendations are certainly good; I just think that's not where the weaknesses lie. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Davis H. Elliot Company company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
