Re: [fw-wiz] Too Paranoid?

From: Mark Tinberg (mtinberg@securepipe.com)
Date: 10/02/02

• Next message: Philip J. Koenig: "RE: [fw-wiz] Netscreen email logging"
• Previous message: Kevin Steves: "Re: [fw-wiz] Too Paranoid?"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Too Paranoid?"
• Next in thread: James Triplett: "Re: [fw-wiz] Too Paranoid?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Mark Tinberg <mtinberg@securepipe.com>
To: "Paul D. Robertson" <proberts@patriot.net>
Date: Wed Oct  2 05:22:14 2002

On Sun, 29 Sep 2002, Paul D. Robertson wrote:

> Even if they tunneled well, I'd still want the thing cordoned off from my
> internal network and forced to talk nicely with the specific desktop
> clients.
>

I agree, stick the W2K server in its own network with no access to the
internal network and limited access to just the machines on the Internet
required for the service to function. I would also say that as ActiveX is
against your policy, and you are worried about the integrity of your users'
workstations, that you think about installing the client component on a
terminal server of some kind. This could be MS Terminal Services, Citrix,
VNC or more UNIX centric software like Win4Lin, VMWare or WINE/X.

The "client" machine (terminal server) can have its configuration heavily
controlled and also needs no access into the protected network. The
security risk to your internal machines then comes only through the
terminal client software itself which is more under your control. I think
that this is a good way to keep all that "special" client software and its
associated problems off of your working desktop machines where security
and configuration control are already hard enough.

-- 
Mark Tinberg <MTinberg@securepipe.com>
Network Security Engineer, SecurePipe Inc.
Remember:  Wherever you go, there you are!
Key fingerprint = AF6B 0294 EE33 D802 F7A1  38A4 CF52 5FE0 7470 E5F7
	Your daily fortune . . . 
With a gentleman I try to be a gentleman and a half, and with a fraud I
try to be a fraud and a half.
		-- Otto von Bismark

---

• Next message: Philip J. Koenig: "RE: [fw-wiz] Netscreen email logging"
• Previous message: Kevin Steves: "Re: [fw-wiz] Too Paranoid?"
• In reply to: Paul D. Robertson: "Re: [fw-wiz] Too Paranoid?"
• Next in thread: James Triplett: "Re: [fw-wiz] Too Paranoid?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [fw-wiz] Defense in Depth to the Desktop ... network hardware mechanisms. ... controls is highlighted when the internal network and systems suffer ... The client subnet and the server ... Servers are allowed to reply to clients, ... (Firewall-Wizards) Re: How Can I Allow Access From The Internet to Only Selected User ... users, groups, client ip address ranges, client computer naming conventions ... All users can access Terminal Server from inside the network ... "select remote users" and enter in th administrators group. ... (microsoft.public.windows.terminal_services) Re: IP printer in network ... Microsoft MVP - Terminal Server ... I'm using this version of RDP client. ... version which supports network printers. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... (microsoft.public.windows.terminal_services) Re: Printing to a TCP/IP printer ... The remote Windows XP client can print to this printer, ... users profile as a network printer. ... How to set the printer up at the Terminal Server end. ... (microsoft.public.win2000.termserv.clients) Re: User name not showing in global address book after creating email account ... mode on the client. ... This is a new problem with the GAB that just started happening upon ... terminal server in to the network and launch Outlook on the TS, ... where else internally on the network. ... (microsoft.public.exchange.admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)