Security Basics mailing list archives

RE: Remote Desktop, DMZ

From: "ragdelaed" <ragdelaed () gmail com>
Date: Thu, 26 Apr 2007 08:37:02 -0400

If you have to put a Remote Desktop enabled box in your DMZ for external
build it internally first, completely patch and lock it down. Then put it on
its own vlan in your DMZ that is firewalled. Enable extensive logging and
use a logging monitor to watch and alert on both the windows logs and the
firewall logs. It may even be a good idea to put an IPS on that specific
VLAN in order to mitigate any potential issues that may arise from the box
being compromised.

I think putting a box in the DMZ with terminal services enabled is not the
best solution. There may be better ways to achieve what you are looking to
do. Your first statement is a question asking for verification of whether or
not a remote desktop system should be in the DMZ. I would vote no, unless
there is a strong business need for it. 

Why are you looking to put a remote desktop system in your DMZ? If this is a
client access issue, I would guess there are web enabled solutions that are
more robust and secure than a remote desktop solution.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Edmund
Sent: Tuesday, April 24, 2007 7:16 AM
To: security-basics () securityfocus com
Subject: Remote Desktop, DMZ

Dear All,

A Remote-Desktop system should be placed within the DMZ,
am I correct?

If that is the case, what if the Remote Desktop
system requires access to an application server; but,
this application server  cannot be placed in the DMZ
because LAN users also need access to it?

I've been mulling it over and haven't quite
figured out how or where to put this remote desktop system.
In the DMZ, it will have a hard time being
part of the domain(is this actually necessary?)
or even access an application server (which
is also part of the domain).    If I put
the Remote desktop system in the internal LAN,
the risks are not particularly appealing should
the RD system get compromised.

Can someone out there give me some hints/pointers
as to how I might go about in putting a remote
desktop system in an existing network setting?

Thanks

Ed

Current thread:

Remote Desktop, DMZ Edmund (Apr 25)
- RE: Remote Desktop, DMZ Navroz Shariff (Apr 25)
- RE: Remote Desktop, DMZ Nick Vaernhoej (Apr 25)
- Re: Remote Desktop, DMZ Ansgar -59cobalt- Wiechers (Apr 26)
- RE: Remote Desktop, DMZ ragdelaed (Apr 26)