Security Basics mailing list archives
Re: Terminal services
From: "Rodrigo Blanco" <rodrigo.blanco.r () gmail com>
Date: Wed, 1 Oct 2008 09:10:37 +0200
Hi Fernando, I would say there are two possibilities: either the application you wnat to make available for your end users is web, or not (client-server). If it is a web aplication, the VPN SSL would be a good solution (for enhanced security, you could think of providing your users with OTP tokens, so that even if in the non-controlled PCs they are using there was some kind of malware / keylogger, no falw is introduced by enabling this access). VPN SSL is especially convenient since it provide virtually ubiquitous access (it just requires a browser, no need to install any software client), and normally remains transparent for the internal application (behaviour similar to a reverse proxy). If it is not a web application, you can still publish it through VPN SSL. If the software client of the application can be installed on the PCs, you can tunnel the trafiic through port forwarding (usually as an applet or ActiveX from the VPN SSL). Apart from requiring the ability to install software on the public PC (which is usually not the case), this may also pose security concerns about pieces of information remaining on the non-controlled PC as cache / temp files / RAM memory... The other option is to publish the application in a thin-client architecture (terminal server, citrix...), and enable access through the VPN SSL through a port forwarder. The advantage of this approach is that neither does the application need to be installed on the public PC, nor does it run on it, so no sensitive information can be expected to remain on it after the session has been closed. In this second option, AD GPO restrictions can and should be applied to mitigate the risk according to your business. IPSec VPN (and VPN SSL network extension options), which provide the PC connecting a virtual IP adapter in the internal network, may be more risk since there is a direct connection between the Internet and the PC and between the same PC and the internal network. Hope this information is useful to you, Rodrigo. 2008/9/30 <velzaf () hotmail com>:
Hi guys I need an opiniĆ³n from you related to terminal services. I need to provide a solution to allow some external clients to connect via Internet to a specific application. Those clients will use a laptop that don't belong to the enterprise, in fact they are not secure clients and we don't have any contact with the computers they connect with just to configure the connection. I have been thinking about the use of VPN, but I am not sure because their insecurity, I think TLS could be an option but I have not experience implementing that sort of solution, and I worry about their using several tools like tsgrinder or something like that. I know I need to restrict their options to the maximum maybe using Active directory. The server is Windows Server 2003 The clients could be xp or Vista. I would like to know your opinion Thanks in advance. Atte, Fernando Velazco.
Current thread:
- Re: Terminal services Rodrigo Blanco (Oct 01)
- RES: Terminal services Gilberto Fernandes (Oct 01)
- <Possible follow-ups>
- Re: Terminal services Nikhil Wagholikar (Oct 01)
- RE: Terminal services Boaz Shunami (Oct 02)
- Re: Terminal services velzaf (Oct 01)
- Re: Terminal services Dante Signal31 (Oct 10)
- RE: Terminal services Landriault, Yan (Oct 10)
- Re: Terminal services Dante Signal31 (Oct 10)