Re: RDP access to Servers from computing staff workstations.

[Jeff Kell <jeff-kell () UTC EDU>]

On 6/8/2010 11:53 AM, Eme Ejike wrote:
> On the linux/Unix/solaris  environments, we have a bastion host set up
> for management access to  servers from our computing  staff workstations.
> However, no infrastructure was defined for access to the windows
> servers which i am currently planning to set a structure for.
> I would sincerely appreciate some feedback on how management access
> has been setup  for access to the server environment from your
> computing staff workstations.
> What model  do most Security Admins  within our forum gravitate towards.

We have a "standard non-standard" route for this, using SSH, RDP, or VNC
(depending on the target platform) on a nonstandard port.  Users are
encouraged to restrict access to the relocated service port to specific
IPs/subnets (we have authorized ITD staff and departmental sysadmins in
predictable subnets, as well as our VPN pools).

Public-facing SSH/RDP/etc are practically nonexistant except in very
special situations.  Changing the ports avoids script kiddies but
obviously does little against a targeted attack.

This was not done overnight, however :-)  Identify your users and work
with them individually to transition them to whatever method you choose.

Jeff