Re: Remote Terminal Services / SharePoint Servers

["Bristol, Gary L." <gbristol () OU EDU>]

Besides the use of  SSL VPN devices, which we have a couple flavors of, another option that we use are SSH Bastion 
hosts.
 
I have several in place that provide different parts of the user community access to the resources they need.
The Hosts are linux based and authenicate the users via Kerberos to the Microsoft AD domain controllers.
This provides a very effective means of connecting securely and still having the resources on the inside available to 
the users and isolated from common off campus access, ie hackers.
 
Gary L. Bristol
 CISSP, RHCE
 University of Oklahoma
 175 Kuhlman Court
 Norman, OK 73019

 Office: 405-325-2236
 Cell:   405-409-6406

 **********************************************************************

 This transmission may contain information that is privileged,
 confidential and/or exempt from disclosure under applicable law. If
 you are not the intended recipient, you are hereby notified that any
 disclosure, copying, distribution, or use of the information contained
 herein (including any reliance thereon) is STRICTLY PROHIBITED. If you
 received this transmission in error, please immediately contact the
 sender and destroy the material in its entirety, whether in electronic
 or hard copy format. Thank you

 **********************************************************************

________________________________

From: Dave Koontz [mailto:dkoontz () MBC EDU]
Sent: Wed 1/10/2007 6:27 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Remote Terminal Services / SharePoint Servers


We are getting increased pressure to implement REMOTE (off campus access) to Microsoft's Terminal Server, Remote RDP to 
users desktops as well as a new request for a internet facing SharePoint 2007 server.  In the past, remote campus 
access was only allowed via a VPN connection for approved users, but it seems the times are changing.
 
As anyone in technology knows, things often times build upon one another.  Our most recent example is a task force that 
is examining procedures to deal with any possible "bird-flu" pandemic...  and how as a small college we can enable our 
users to work from home should the unimaginable strike.  This of course would mean that various administrative users 
that currently have no remote access would need complete access to our network from any available PC - IMMEDIATELY.  
VPN's generally require Admin rights, which starts our journey....
 
The brighter on that committee then connected those dots to ask, how can we also use this technology to enable our 
President, Dean, Development and Admissions "road warriors" similar access via smart phones or internet cafe' 
connections.  After all, if we are putting money into such an infrastructure, would could at least get gains today from 
that investment.  They also argue that TS, RDP and SharePoint are no more of a risk than any other service provided 
that all vendor patch levels are maintained.
 
I would appreciate any input as to how other campuses are dealing with these issues.  While they make valid points, I 
know that there are unpublished exploits for all these various services which makes me extremely nervous!  But I can't 
say this isn't the same case for any other external service we offer.
 
Thanks in advance!
 
---
Dave Koontz
Mary Baldwin College
Staunton, VA