Re: [fw-wiz] terminal services

From: Duncan Sharp (
Date: 01/28/03

From: Duncan Sharp <>
Date: Tue Jan 28 17:13:01 2003 wrote:

> Greetings,
> I am being asked to open port 3389 on our Corporate firewall and direct incoming traffic on that port to a specific IP on our internal network. Being the paranoid that I am, I do not want to do this but I need better reasons/ammunition other than saying "it would be bad". I am looking for pointers to information hopefully in support of my fear of M$ security. Also, the more recent the information the better.

More information is certainly needed;

a: Can the target server be isolated from other hosts? Extranet
b: Will this server have a separated Active Directory server?
c: What applications are needed by external users?
d: What applications are needed by internal users (admins)?
e: Can the MS host administrators manage the separation of these different users?
f: Is this just the only host, or are there more to come?
g: Do you have a VPN? Maybe this is the time to propose one.
h: Does someone have the responsibility to review Event log files on this host?

> Not being close minded, I would also be interested in seeing any information which would make me feel warm and fuzzy about opening the port.

There is a ASP that offers its custom application via Terminal Services to businesses
across the Internet. No special IPs are blocked, but most ports are blocked. But more
importantly the systems are very much hardened, and account management is
very tightly controlled, and user access to any host application is restricted. It works
but it takes both network security and host security to work together to keep it

My comfort level was not that high.

> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now!
> Get your own FREE, personal Netscape Mail account today at
> _______________________________________________
> firewall-wizards mailing list