VPN doesn't have to mean "all traffic". It can limit traffic to only port 3389, and access from TS session to home PC drives can be disabled. In this scenario the VPN is just an extra layer of authentication. I would go with L2TP/IPSEC, and that doesn't automatically require certificates, a strong PSK for IPSEC established by CMAK (so users don't know what it is) can be sufficient.
Your idea allows the entire world to test the password strength of user's AD accounts. Google "tsgrinder". If you have strong user passwords enforced, then it's not so bad. Carl -----Original Message----- From: Erik Goldoff [mailto:[email protected]] Sent: Wednesday, July 01, 2009 2:18 PM To: NT System Admin Issues Subject: RE: Terminal Services question Wow ! I disagree completely ... Opening up VPNs to home users' privately owned equipment, with questionable security/infection status seems MUCH more risky than opening RDP ports on the firewall ... And a 'basic MS VPN' ? You mean PPTP with clear text password exchange ? L2TP should be the minimum MS VPN in use today, let SSL encrypt the login/password exchange. I'm really curious as to why you consider a publicly available RDP session such a risk ? Erik Goldoff IT Consultant Systems, Networks, & Security -----Original Message----- From: Charlie Kaiser [mailto:[email protected]] Sent: Wednesday, July 01, 2009 2:11 PM To: NT System Admin Issues Subject: RE: Terminal Services question Set up a VPN and allow RDP to their desktops. Keep them off the server, unless you want to set up a dedicated TS for client access. While you can allow RDP through your firewall, you're opening up some pretty big holes for people to bang on if you do. You can lock down specific ports/IPs to your users' local IP addys, but that's way more management than you want. Even a basic MS VPN will be much more manageable (remote access group, manage remote access via GP) than trying to allow direct RDP without opening up your network. The level of VPN config you set up will depend on your security requirements. If you work the VPN right, you can allow only approved computers to connect, if that's your desire. *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
