RE: Secure Remote access - windows 2003



------------------------------------
Authentication should be strong. Something more than a password. [ No
budget for RSA securiD :-))) ]
- W2K3 SP1 RDP can be configured for certificate authentication, adding
server; not just client authentication to the mix. This goes a looong
way toward removing the RDP MITM threat that so many have feared.

Encryption for user-crentials/data access
- Same answer here; with certificate auth, you also get SSL encryption
of the whole session, from logon to logoff.

Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is
not simple and also you require Application Mode license.
- L2TP, IPSec and RDP v6 (required for cert auth) would all require
changes at the client machine. All provide the additional security (and
inconvenience) of limiting access to hosts configured for each protocol.
IPSec and L2TP (or PPTP, for that matter) are harder to spread across
clients because they all require specific configuration knowledge. RDP
needs only the v6 client (KB 925876).
- TS App Mode is required for more than 2 concurrent users. File copy
across the RDP channel is not related to TS App Mode.

The number of remote users - less than 100
- More than 3 concurrent users (including console) requires TS App Mode.

Cost effective , easy to implement and easy to manage solution sought
- the only management difficulty presented by App Mode is licensing and
user education. Otherwise, it's "just an RDP connection" that inherits
all the rights & privileges of that user account. Contrary to urban
myth, adding users to the Admins group is *not* required for TS access
to a machine.

Jim

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of dubaisans dubai
Sent: Monday, January 01, 2007 8:17 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Secure Remote access - windows 2003

I am planning to provide remote access from Internet to a windows 2003
domain

controller.User-ids, NTFS permissions are all configured.

The objective is file sharing and access.

Files will need to be copied. The machine has valid Internet IP address
and is

sitting behind a Firewall.

I would like to keep solution independent of Firewall.This will be
accessed by roaming users. I am thinking of something like 0penssh for
windows or maybe just GUI based Secure-FTP

Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No
budget for RSA securiD :-))) ]

Encryption for user-crentials/data access

Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is
not simple and also you require Application Mode license.

The number of remote users - less than 100

Cost effective , easy to implement and easy to manage solution sought

All mail to and from this domain is GFI-scanned.



Relevant Pages

  • RE: Secure Remote access - windows 2003
    ... Encryption for user-crentials/data access can be easily ... Not really sure if you want users to RDP into your windows servers.. ... clients because they all require specific configuration knowledge. ... TS App Mode is required for more than 2 concurrent users. ...
    (Focus-Microsoft)
  • printer mapping settings in terminal service configuration
    ... regkeys, and tried connecting through RDP, still I see the ... When I check the RDP ... (disabling client printer mapping). ... When I manually change the RDP configuration in RDP-TCP ...
    (microsoft.public.win2000.termserv.clients)
  • Re: RDP connection issues with Vista Ultimate - OT
    ... How do you have the Vista RDP 6.0 client configured? ... Also make sure you have the "Options -> Advanced -> Server authentication -> Authentication Options" configured for "Always connect, ... Al Jarvi (MS-MVP Windows Networking) ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: initiating a remote desktop session from a service
    ... Take a look at the last answer in this FAQ: It allows you to disable network level authentication which change the authentication behavior of the new RDP client. ... I cant see any other way than removing the update for the remote desktop version 6.0. ...
    (microsoft.public.windows.terminal_services)
  • Re: rdp security + 2 factor authentication
    ... > I have read that RDP is considered secure without a VPN since RDP ... Here is an MS article on RDP encryption: ... Two factor authentication, without the hassle factor ...
    (microsoft.public.win2000.termserv.clients)