RE: [fw-wiz] terminal services

From: Noonan, Wesley (Wesley_Noonan@bmc.com)
Date: 01/28/03 

From: "Noonan, Wesley" <Wesley_Noonan@bmc.com>
To: "'natfirewall@netscape.net'" <natfirewall@netscape.net>, firewall-wizards@honor.icsalabs.com
Date: Tue Jan 28 15:00:02 2003

I don't have time to track down the research for you, but I would point you
in the direction of comparing using a VPN as opposed to using TS. You would,
IMHO, be better served to use a VPN to establish the connection, then tunnel
TS inside that as opposed to pure TS.

To paraphrase Shrek (and I think someone else on this list), security is
like onions. There are lots of layers.

HTH

Wes Noonan, MCSE/CCNA/CCDA/NNCSS/Security+
Senior QA Rep.
BMC Software, Inc.
(713) 918-2412
wnoonan@bmc.com
http://www.bmc.com

> -----Original Message-----
> From: natfirewall@netscape.net [mailto:natfirewall@netscape.net]
> Sent: Tuesday, January 28, 2003 14:00
> To: firewall-wizards@honor.icsalabs.com
> Subject: [fw-wiz] terminal services
>
> Greetings,
>
> I am being asked to open port 3389 on our Corporate firewall and direct
> incoming traffic on that port to a specific IP on our internal network.
> Being the paranoid that I am, I do not want to do this but I need better
> reasons/ammunition other than saying "it would be bad". I am looking for
> pointers to information hopefully in support of my fear of M$ security.
> Also, the more recent the information the better.
>
> Not being close minded, I would also be interested in seeing any
> information which would make me feel warm and fuzzy about opening the
> port.
>
>
> TIA
>
>
> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now!
> http://channels.netscape.com/ns/browsers/download.jsp
>
> Get your own FREE, personal Netscape Mail account today at
> http://webmail.netscape.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Router selection? Im a Computer and Internet/Newsgroup Newbie
    ... There is so many security options offered. ... Packet Log, Security Event Log, E-mail Log; VPN Functionality: ... NAT is probably the biggest feature. ... If you don't do any port forwarding with the router, ...
    (alt.comp.hardware.pc-homebuilt)
  • RE: VPN & Security Question
    ... Just one port: TCP Port 3389 ... I don't believe in using VPN to connect home/SOHO users because it's very ... difficult to know the status of their end of the connection. ... > VPN was a critical piece of security best practices, ...
    (microsoft.public.windows.terminal_services)
  • Re: BEFVP41 -2003 SBS Help Please
    ... Couple of things to keep in mind about exposed ports, VPN, and security ... + 1723 is authentication, it doesn't pass the data stream. ... 1723 is an authentication port, if someone authenticated, they get in. ...
    (microsoft.public.windows.server.sbs)
  • Re: Why use VPN?
    ... People are paranoid about the whole security thing. ... The VPN solution also ... Through a port. ...
    (microsoft.public.windows.terminal_services)
  • Re: [Full-disclosure] Remote Desktop Command Fixation Attacks
    ... This set of steps is redundant in many places, and it's also enormously expensive, since you're using no less than three different expensive bits of networking hardware (AP, PIX, VPN Concentrator), in addition to a bunch of x86 server hardware, windows server licenses, and at least one ISA license. ... Your computers necessarily don't have full access to your network infrastructure when they aren't logged on, so GPOs, software updates, etc can't be applied at the times you want them to be applied. ... Turning on, enabling, and implementing every possible security setting and device you think of is not defence in depth, and will probably only have two effects - your users won't use your wireless network, and you'll burn so much cash you won't have any left to spend on *useful* security measures. ...
    (Full-Disclosure)