RES: Terminal services

["Gilberto Fernandes " <gilberto () gastecnologia com br>]

Hi all

You can publish applications only through the Terminal Services / Users. So
when the user log will have access only specific application, and control
access to the disc through GPOs. The connection is made over any port. You
can also use the Web Tsweb if it runs at 443. It has millions of
alternatives, such as the use of Citrix, but the cost is high license and
you will also have to buy CALL of TS for each user to connect to the server.

GFT

-----Mensagem original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Em
nome de Rodrigo Blanco
Enviada em: quarta-feira, 1 de outubro de 2008 04:11
Para: velzaf () hotmail com
Cc: security-basics () securityfocus com
Assunto: Re: Terminal services

Hi Fernando,

I would say there are two possibilities: either the application you
wnat to make available for your end users is web, or not
(client-server).

If it is a web aplication, the VPN SSL would be a good solution (for
enhanced security, you could think of providing your users with OTP
tokens, so that even if in the non-controlled PCs they are using there
was some kind of malware / keylogger, no falw is introduced by
enabling this access). VPN SSL is especially convenient since it
provide virtually ubiquitous access (it just requires a browser, no
need to install any software client), and normally remains transparent
for the internal application (behaviour similar to a reverse proxy).

If it is not a web application, you can still publish it through VPN
SSL. If the software client of the application can be installed on the
PCs, you can tunnel the trafiic through port forwarding (usually as an
applet or ActiveX from the VPN SSL). Apart from requiring the ability
to install software on the public PC (which is usually not the case),
this may also pose security concerns about pieces of information
remaining on the non-controlled PC as cache / temp files / RAM
memory... The other option is to publish the application in a
thin-client architecture (terminal server, citrix...), and enable
access through the VPN SSL through a port forwarder. The advantage of
this approach is that neither does the application need to be
installed on the public PC, nor does it run on it, so no sensitive
information can be expected to remain on it after the session has been
closed.

In this second option, AD GPO restrictions can and should be applied
to mitigate the risk according to your business.

IPSec VPN (and VPN SSL network extension options), which provide the
PC connecting a virtual IP adapter in the internal network, may be
more risk since there is a direct connection between the Internet and
the PC and between the same PC and the internal network.

Hope this information is useful to you,
Rodrigo.



2008/9/30  <velzaf () hotmail com>:
> Hi guys
>
> I need an opinión from you related to terminal services.  I need to
provide a solution to allow some external clients to connect via Internet to
a specific application.  Those clients will use a laptop that don't belong
to the enterprise, in fact they are not secure clients and we don't have any
contact with the computers they connect with just to configure the
connection.
> I have been thinking about the use of VPN, but I am not sure because their
insecurity, I think TLS could be an option but I have not experience
implementing that sort of solution, and I worry about their using several
tools like tsgrinder or something like that.  I know I need to restrict
their options to the maximum maybe using Active directory.
> The server is Windows Server 2003
> The clients could be xp or Vista.
>
> I would like to know your opinion
>
> Thanks in advance.
>
> Atte,
>
> Fernando Velazco.