|
Posted by Daniel Petri on June 19, 2008, 7:04 am
Please log in for more thread options I'll drop my $0.02 here. Perhaps the consultant warned you against the risks
of allowing TCP port 3389 through the firewall, and openly advertising that
you're allowing RDP/TS from outside? Using VPN to control who can access the
RDP/TS sessions will add an additional layer of security to your remote
access solution, not because it will do a better job with enrcyption, but
because it will only allow authenticated users to gain access to the RCP/TS
logon window in the first place.
Does this make sense? To me it sure does. This is, BTW, one of the
advantages of using Win2008 TS Gateway to connect to the internal RDP/TS
resources. They are not open to the world unless you gain access through the
TS Gateway first.
HTH
--
Sincerely,
Daniel Petri
MVP, Senior IT consultant, trainer
www.petri.co.il
> Agreed. It's bidirectional TLS with long keys, which is essentially
> equivalent to VPN.
>
> Maybe you should re-evaluate your relationship with this consultant. :)
>
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
>> Yes, everything is encrypted. Remote Desktop even support s smart card
>> authentication. VPN is perceived to be more secure but in reality it
>> doesn't add much. As an example - virtual desktop infrastructures that
>> are very popular today rely on thin client protocols (RDP/ICA) for
>> security, not VPN. It will be a stretch to come up with an attack
>> scenario that is valid for remote desktop but mitigated using VPN.
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>>I had a consultant give me the fire drill about how our network is at
>>>risk
>>> because we have 2 people connecting via remote desktop to 1 server.
>>> These
>>> are set in GP to enforce high encryption level. My understanding is
>>> this
>>> is secure- and according to the technet article I read- even login
>>> credentials are encrypted.
>>> Is this correct? Is the contractor just trying to scare us to have
>>> hime
>>> setup a vpn for $$$.
>>> Looking for comments
>>>
>>> Thanks
>>>
>>> craig
>>>
>>>
>>>
>>> --
>>> Craig Niedringhaus
>>> craig@milwaukeenet.net
>>> www.milwaukeenet.net
>>> -----BEGIN PGP PUBLIC KEY BLOCK-----
>>> Version: PGP 8.0.2
>>>
>>> mQGiBEFtMm4RBADPxR+70an3t9hjRt7pvk0URNrcnNS3Jm/zbFudFbne1xiMqUu2
>>> hKG6U4wZr7H8oD97fd7b5wzJDsfHFAR2YIP4e9XKEDXXeqGtKRjBe1FV123yfPAe
>>> GAyMg2uf9eBX9ykYGtTsKsAXmsiTcRaYplRj66a4zO13j9x2lf7k2+j5OwCg/y+p
>>> aOE5p+mY5G1h8beSDzWPAUkD/Ar6M/bEJIOlSAJvO+8dLGYHIzk0jlIiTDabYjBI
>>> tWUS5MlmTTAXcQ1jr2Q+wRkpVUTC9sveWuLquoAjsaOw1t+nRbAt6yQaja1EzNAr
>>> 2O0MuLQRUYPsnlI6DVrtflM1FBL0YeyncvkGpdCj6MRs+FYQbgWm4JA8KuYQq9Q3
>>> eIXsA/9atvTOcYdQ7WWmSeX/A1zT2m95kZLnEE57OIjOdds8bHmWm1MpCDszzNJS
>>> LX+apCGZSBQ8/DHD5+9Wxs9s+QD9c9JFKszCmHq1JXf/duosQCSbikaU9UdbW9hm
>>> t1+XGLOg6VZ2P3sSgkV56vr0O/MU9ENtd2e9DHToI1DQbapljLQqQ3JhaWdOaWVk
>>> cmluZ2hhdXMgPGNyYWlnQG1pbHdhdWtlZW5ldC5uZXQ+iQBXBBARAgAXBQJBbTJu
>>> BwsJCAcDAgoCGQEFGwMAAAAACgkQI8Oi/e+Ji6kB5gCgijElHMQ4aFnLuwfIKLTp
>>> TkAlOWAAoLEkBOR84ZxmNTwQeVPPKhCK1UW/uQINBEFtMm8QCAD2Qle3CH8IF3Ki
>>> utapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmPQFXz0AfGy0OplK33TGSGSf
>>>
>>
>>
| 
XML Sitemap