Re: Remote Terminal Services / SharePoint Servers

["Lovaas,Steven R" <Steven.Lovaas () COLOSTATE EDU>]

Dave,

Many organizations are using SSL VPNs for this purpose. We just installed a Juniper (formerly NetScreen formerly 
Neoteris) Secure Access Server to provide more flexible remote (and wireless) access, and it includes the ability to 
easily tunnel Remote Desktop/Terminal Services.

In fact, Juniper is selling a license flavor for this product that they call "ICE" - short for "In Case of Emergency", 
specifically marketing to people concerned about emergency large-scale network access. It allows for short-term 
exceeding of normal licensed user limits, etc.

Hope this helps,

Steve Lovaas
Colorado State University

________________________________
From: Dave Koontz [dkoontz () MBC EDU]
Sent: Wednesday, January 10, 2007 5:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Remote Terminal Services / SharePoint Servers

We are getting increased pressure to implement REMOTE (off campus access) to Microsoft's Terminal Server, Remote RDP to 
users desktops as well as a new request for a internet facing SharePoint 2007 server.  In the past, remote campus 
access was only allowed via a VPN connection for approved users, but it seems the times are changing.

As anyone in technology knows, things often times build upon one another.  Our most recent example is a task force that 
is examining procedures to deal with any possible "bird-flu" pandemic...  and how as a small college we can enable our 
users to work from home should the unimaginable strike.  This of course would mean that various administrative users 
that currently have no remote access would need complete access to our network from any available PC - IMMEDIATELY.  
VPN's generally require Admin rights, which starts our journey....

The brighter on that committee then connected those dots to ask, how can we also use this technology to enable our 
President, Dean, Development and Admissions "road warriors" similar access via smart phones or internet cafe' 
connections.  After all, if we are putting money into such an infrastructure, would could at least get gains today from 
that investment.  They also argue that TS, RDP and SharePoint are no more of a risk than any other service provided 
that all vendor patch levels are maintained.

I would appreciate any input as to how other campuses are dealing with these issues.  While they make valid points, I 
know that there are unpublished exploits for all these various services which makes me extremely nervous!  But I can't 
say this isn't the same case for any other external service we offer.

Thanks in advance!

---
Dave Koontz
Mary Baldwin College
Staunton, VA