Security Basics mailing list archives
RE: Remote Desktop, DMZ
From: "ragdelaed" <ragdelaed () gmail com>
Date: Thu, 26 Apr 2007 08:37:02 -0400
If you have to put a Remote Desktop enabled box in your DMZ for external build it internally first, completely patch and lock it down. Then put it on its own vlan in your DMZ that is firewalled. Enable extensive logging and use a logging monitor to watch and alert on both the windows logs and the firewall logs. It may even be a good idea to put an IPS on that specific VLAN in order to mitigate any potential issues that may arise from the box being compromised. I think putting a box in the DMZ with terminal services enabled is not the best solution. There may be better ways to achieve what you are looking to do. Your first statement is a question asking for verification of whether or not a remote desktop system should be in the DMZ. I would vote no, unless there is a strong business need for it. Why are you looking to put a remote desktop system in your DMZ? If this is a client access issue, I would guess there are web enabled solutions that are more robust and secure than a remote desktop solution. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Edmund Sent: Tuesday, April 24, 2007 7:16 AM To: security-basics () securityfocus com Subject: Remote Desktop, DMZ Dear All, A Remote-Desktop system should be placed within the DMZ, am I correct? If that is the case, what if the Remote Desktop system requires access to an application server; but, this application server cannot be placed in the DMZ because LAN users also need access to it? I've been mulling it over and haven't quite figured out how or where to put this remote desktop system. In the DMZ, it will have a hard time being part of the domain(is this actually necessary?) or even access an application server (which is also part of the domain). If I put the Remote desktop system in the internal LAN, the risks are not particularly appealing should the RD system get compromised. Can someone out there give me some hints/pointers as to how I might go about in putting a remote desktop system in an existing network setting? Thanks Ed
Current thread:
- Remote Desktop, DMZ Edmund (Apr 25)
- RE: Remote Desktop, DMZ Navroz Shariff (Apr 25)
- RE: Remote Desktop, DMZ Nick Vaernhoej (Apr 25)
- Re: Remote Desktop, DMZ Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Remote Desktop, DMZ ragdelaed (Apr 26)