Re: [fw-wiz] terminal services

From: Duncan Sharp (drsharp@pacbell.net)
Date: 01/28/03


From: Duncan Sharp <drsharp@pacbell.net>
To: natfirewall@netscape.net
Date: Tue Jan 28 17:13:01 2003

natfirewall@netscape.net wrote:

> Greetings,
>
> I am being asked to open port 3389 on our Corporate firewall and direct incoming traffic on that port to a specific IP on our internal network. Being the paranoid that I am, I do not want to do this but I need better reasons/ammunition other than saying "it would be bad". I am looking for pointers to information hopefully in support of my fear of M$ security. Also, the more recent the information the better.
>

More information is certainly needed;

a: Can the target server be isolated from other hosts? Extranet
b: Will this server have a separated Active Directory server?
c: What applications are needed by external users?
d: What applications are needed by internal users (admins)?
e: Can the MS host administrators manage the separation of these different users?
f: Is this just the only host, or are there more to come?
g: Do you have a VPN? Maybe this is the time to propose one.
h: Does someone have the responsibility to review Event log files on this host?

>
> Not being close minded, I would also be interested in seeing any information which would make me feel warm and fuzzy about opening the port.
>

There is a ASP that offers its custom application via Terminal Services to businesses
across the Internet. No special IPs are blocked, but most ports are blocked. But more
importantly the systems are very much hardened, and account management is
very tightly controlled, and user access to any host application is restricted. It works
but it takes both network security and host security to work together to keep it
working.

My comfort level was not that high.

>
> TIA
>
> __________________________________________________________________
> The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp
>
> Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • gdm hangs
    ... gdm will hang 9 of 10 times when logging out. ... with or without the client having been connected to the Server. ... # Timed login, useful for kiosks. ... Must output the chosen host on stdout, ...
    (Debian-User)
  • problem with sendmail in solaris 9
    ... names that should be exposed as from this host, ... # save Unix-style "From_" lines at top of header? ... # work recipient factor ... # SMTP STARTTLS server options ...
    (SunManagers)
  • Re: Add new cluster and use existing LUNs?
    ... Storport driver and Powerpath on all of our SAN host servers so we are trying ... In the end I think that I may play it cautious and create a new RAID group, ... > varied activity (DBMSes, Messaging Server, File Server, Web Servers, ... Some of the physical spindle limitations can be addressed through the SAN ...
    (microsoft.public.sqlserver.clustering)
  • Log corruption on multiple webservers, log analyzers,...
    ... Related RFC´s about Internet Host Names convention: ... To succesfully attack a server with “ILLC” technique is mandatory that web ... a machine with a host name as "123.123.123.123" makes a request ... wouldn't appear in the access log file. ...
    (Bugtraq)
  • UPDATE weird sendmail problem on Solaris 9 (fwd)
    ... I was asked to supply info about my sendmail config and my nsswitch.conf ... names that should be exposed as from this host, ... # list of locations of user database file ... # SMTP STARTTLS server options ...
    (SunManagers)