RE: Remote Desktop, DMZ

If you have to put a Remote Desktop enabled box in your DMZ for external
build it internally first, completely patch and lock it down. Then put it on
its own vlan in your DMZ that is firewalled. Enable extensive logging and
use a logging monitor to watch and alert on both the windows logs and the
firewall logs. It may even be a good idea to put an IPS on that specific
VLAN in order to mitigate any potential issues that may arise from the box
being compromised.

I think putting a box in the DMZ with terminal services enabled is not the
best solution. There may be better ways to achieve what you are looking to
do. Your first statement is a question asking for verification of whether or
not a remote desktop system should be in the DMZ. I would vote no, unless
there is a strong business need for it.

Why are you looking to put a remote desktop system in your DMZ? If this is a
client access issue, I would guess there are web enabled solutions that are
more robust and secure than a remote desktop solution.

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Edmund
Sent: Tuesday, April 24, 2007 7:16 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Remote Desktop, DMZ

Dear All,

A Remote-Desktop system should be placed within the DMZ,
am I correct?

If that is the case, what if the Remote Desktop
system requires access to an application server; but,
this application server cannot be placed in the DMZ
because LAN users also need access to it?

I've been mulling it over and haven't quite
figured out how or where to put this remote desktop system.
In the DMZ, it will have a hard time being
part of the domain(is this actually necessary?)
or even access an application server (which
is also part of the domain). If I put
the Remote desktop system in the internal LAN,
the risks are not particularly appealing should
the RD system get compromised.

Can someone out there give me some hints/pointers
as to how I might go about in putting a remote
desktop system in an existing network setting?

Thanks

Ed

Relevant Pages

  • Re: Remote Desktop
    ... Port forwarding is also on the office router, ... > pc using remote desktop which is enabled. ... No need for the DMZ ...
    (microsoft.public.windowsxp.work_remotely)
  • RE: Remote Desktop, DMZ
    ... Before placing the system in the DMZ, read about the DNS vulnerability ... Vulnerability in RPC on Windows DNS Server Could Allow Remote Code ... Subject: Remote Desktop, DMZ ... what if the Remote Desktop ...
    (Security-Basics)
  • Re: Remote Desktop
    ... No need for the DMZ which *fully exposes* the PC to the public ... Are you trying to use Remote Desktop to access the office PC? ... forward TCP Port 3389 through the router to the LAN IP of the PC your trying to access. ...
    (microsoft.public.windowsxp.work_remotely)
  • Remote Desktop, DMZ
    ... A Remote-Desktop system should be placed within the DMZ, ... what if the Remote Desktop ... this application server cannot be placed in the DMZ ... because LAN users also need access to it? ...
    (Security-Basics)
  • RE: Remote Desktop, DMZ
    ... services hosted in their own enterprise's DMZ, ... You place the server ... side of the VPN host in the DMZ (so Internet users can reach it), ... what if the Remote Desktop system ...
    (Security-Basics)