Re: RDP & IP security help


"silver1386" <silver1386@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:51E18AB9-DFC8-4EB1-86DF-4C4D75009F82@xxxxxxxxxxxxxxxx
Thanks Anthony. I've been looking into it a bit more today. They just
dumped
a lot of money into a new ISA server so yeah they will want to use that
and
get away from the RDP. Do you know where I can get started looking for
info
on this? Thanks for the info on the NAT i can do that, I guess I didn't
understand what they were looking for.

I am no technical expert in this area either, however, if I were in your
shoes I would be concerned about taking suggestions presented here without
making sure I fully understood them. If you are considered a "network admin"
there may be a high expectation on the part of your employer that there is
nothing you do not know about the technology and how to make it secure.

I am not saying that Anthony is leading you astray (far from it, in fact).
But reconfiguring a network and plugging in boxes espousing the technologies
he lists below does not automatically make things secure.

You may be sensitive about suggesting to your boss that you are not that
networking security whiz kid they thought you were. But in the event of some
incident that demonstrates your changes have not had the expected effect on
security, especially if it is costly to them in terms of dollars or public
relations, you could be in for a rough time.

Sure, you can learn a lot here, and sure being over your head is a great way
to learn. But I would strongly recommend you supplement those activities
with a course or two on the subject.

A few questions suggest themselves to me here:

- what are your qualifications and what is your experience?
- how many network admins besides yourself - and do they know this stuff?
- who did the audit? The resulting recommendations suggest they must have
included some technical folk. If so, you might be able to pick up some help
from them; if not, I would question their conclusions. It seems too much
like the client dictating the solution rather than the problem.

I am not intending to demean you or insult your intelligence, and I am not
suggesting that you need to answers to these questions - only that you
consider them yourself. With the little detail I have of your situation, I
am concerned that you may be setting yourself up for a fall. I do hope I am
wrong, and I wish you all the best.


/Al


"Anthony [MVP]" wrote:

Hi Silver,
You need something to provide secure remote access. Any number of ways to
do
that. Maybe your firewall can already do it.
- Microsoft = RRAS on a server, or ISA server
- Cisco = ASA
- Citrix = Secure Gateway
and many many more.
Changing the addresses in the DMZ just means using NAT on the firewall to
translate between public and private addresses.
Hope that helps,
Anthony,
http://www.airdesk.com

"silver1386" <silver1386@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:608E18E1-F196-4E9D-B5EA-7CF7C1B77AD3@xxxxxxxxxxxxxxxx
If I am in the wrong forum could someone please redirect me. I am also
looking for more forums and pages to learn from.

I just got a job as a network admin in a mid side company (350 users)
to
be
honest some of this is over my head, but that's a great way to learn.
they
currently run 8 servers (web, print & file, AD, ISA, mail, exchange,
sql,
rds) All on Windows Server 2003 (one on my future projects is upgrading
to
2008)

The company recently had an audit done and they want me to tie some
stuff
up:

Remote Access:
- Cannont expose RDP to the internet without tunneling
- Restrict RDP to users who need it.
- All remote access hould be going through a VPN connection

Network Design:
- If possible remove the external IP address from the DMZ
- Limit the number of external IP addresses used.

The audit says all the above requires additional hardware. For the time
being my boss wants an cost estimate for the budget. I don't have a
clue
what
is required here. Any suggestions? Let me know if you need more info.
Greatly
appreciated!





.

Relevant Pages

  • Re: RDP & IP security help
    ... RDP can be used safely over the Internet without any extra hardware. ... You can configure Terminal Server to use TLS for bidirectional authentication and encryption, which makes it equivalent to the security provided by SSL. ... because the web server isn't behind the ISA server yet. ... If you are considered a "network admin" ...
    (microsoft.public.windows.server.security)
  • Re: Windows2003Server SP1 und Windows Firewall
    ... den Server nicht mehr via RDP fernwarten. ... Firewall trotzdem die RDP Ports lokal sperren? ... Hilfe & Infos rund um den ISA Server: http://www.msisafaq.de ...
    (microsoft.public.de.german.isaserver)
  • Re: ISA rdp problem
    ... was able to rdp to the ISA server from one of the remote management computers ... I believe that this was caused due to the server publishing rule ... network clashed with the rdp to managment to isa server system rule. ...
    (microsoft.public.isa)
  • Re: SBS Remote
    ... > mich nicht mit einem Arbeitsplatz oder Server verbinden, ... Der RemoteArbeitsplatz des SBS verwendet nicht das herkömmliche RDP, ... Ich nehme mal an das bei dir der ISA Server und der SBS auf ein und der ...
    (microsoft.public.de.german.isaserver)
  • Re: RDP & IP security help
    ... You need something to provide secure remote access. ... Microsoft = RRAS on a server, or ISA server ... Cannont expose RDP to the internet without tunneling ...
    (microsoft.public.windows.server.security)