Who said anything about privately owned equipment? :-) Plus, allowing POE to run an RDP session is almost as bad as a VPN; a keylogger on the POE will allow someone to set up that session from somewhere else as well. POE for any type of remote access is inadvisable, IMO.
Open up an RDP hole to the desktops and let people bang on it for a while. You'll find out which passwords are strong and which are not. How many of the users still use Password1... My assumption is that anyone setting up a VPN in a business-level environment will know and understand the risks and configurations required to mitigate those risks. I shouldn't have to write a book here on how to set up a reasonably secure VPN solution... *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: Erik Goldoff [mailto:[email protected]] > Sent: Wednesday, July 01, 2009 11:18 AM > To: NT System Admin Issues > Subject: RE: Terminal Services question > > > Wow ! I disagree completely ... Opening up VPNs to home > users' privately owned equipment, with questionable > security/infection status seems MUCH more risky than opening > RDP ports on the firewall ... > > And a 'basic MS VPN' ? You mean PPTP with clear text > password exchange ? > L2TP should be the minimum MS VPN in use today, let SSL > encrypt the login/password exchange. > > I'm really curious as to why you consider a publicly > available RDP session such a risk ? > > > Erik Goldoff > IT Consultant > Systems, Networks, & Security > > > -----Original Message----- > From: Charlie Kaiser [mailto:[email protected]] > Sent: Wednesday, July 01, 2009 2:11 PM > To: NT System Admin Issues > Subject: RE: Terminal Services question > > Set up a VPN and allow RDP to their desktops. Keep them off > the server, unless you want to set up a dedicated TS for > client access. > > While you can allow RDP through your firewall, you're opening > up some pretty big holes for people to bang on if you do. You > can lock down specific ports/IPs to your users' local IP > addys, but that's way more management than you want. Even a > basic MS VPN will be much more manageable (remote access > group, manage remote access via GP) than trying to allow > direct RDP without opening up your network. The level of VPN > config you set up will depend on your security requirements. > > If you work the VPN right, you can allow only approved > computers to connect, if that's your desire. > > *********************** > Charlie Kaiser > [email protected] > Kingman, AZ > *********************** > > > ~ Finally, powerful endpoint security that ISN'T a resource > hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
