privately owned equipment is a presumption on my part based on 'home' access ... Although some agencies deploy govt owned equipment, they're normally issued along with a vpn/remote access solution built in, at least with my experience with Federal govt...
Erik Goldoff IT Consultant Systems, Networks, & Security -----Original Message----- From: Charlie Kaiser [mailto:[email protected]] Sent: Wednesday, July 01, 2009 2:41 PM To: NT System Admin Issues Subject: RE: Terminal Services question Who said anything about privately owned equipment? :-) Plus, allowing POE to run an RDP session is almost as bad as a VPN; a keylogger on the POE will allow someone to set up that session from somewhere else as well. POE for any type of remote access is inadvisable, IMO. Open up an RDP hole to the desktops and let people bang on it for a while. You'll find out which passwords are strong and which are not. How many of the users still use Password1... My assumption is that anyone setting up a VPN in a business-level environment will know and understand the risks and configurations required to mitigate those risks. I shouldn't have to write a book here on how to set up a reasonably secure VPN solution... *********************** Charlie Kaiser [email protected] Kingman, AZ *********************** > -----Original Message----- > From: Erik Goldoff [mailto:[email protected]] > Sent: Wednesday, July 01, 2009 11:18 AM > To: NT System Admin Issues > Subject: RE: Terminal Services question > > > Wow ! I disagree completely ... Opening up VPNs to home users' > privately owned equipment, with questionable security/infection status > seems MUCH more risky than opening RDP ports on the firewall ... > > And a 'basic MS VPN' ? You mean PPTP with clear text password > exchange ? > L2TP should be the minimum MS VPN in use today, let SSL encrypt the > login/password exchange. > > I'm really curious as to why you consider a publicly available RDP > session such a risk ? > > > Erik Goldoff > IT Consultant > Systems, Networks, & Security > > > -----Original Message----- > From: Charlie Kaiser [mailto:[email protected]] > Sent: Wednesday, July 01, 2009 2:11 PM > To: NT System Admin Issues > Subject: RE: Terminal Services question > > Set up a VPN and allow RDP to their desktops. Keep them off the > server, unless you want to set up a dedicated TS for client access. > > While you can allow RDP through your firewall, you're opening up some > pretty big holes for people to bang on if you do. You can lock down > specific ports/IPs to your users' local IP addys, but that's way more > management than you want. Even a basic MS VPN will be much more > manageable (remote access group, manage remote access via GP) than > trying to allow direct RDP without opening up your network. The level > of VPN config you set up will depend on your security requirements. > > If you work the VPN right, you can allow only approved computers to > connect, if that's your desire. > > *********************** > Charlie Kaiser > [email protected] > Kingman, AZ > *********************** > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
