Firewall Wizards mailing list archives
Re: terminal services
From: Duncan Sharp <drsharp () pacbell net>
Date: Tue, 28 Jan 2003 14:32:22 -0800
natfirewall () netscape net wrote:
Greetings, I am being asked to open port 3389 on our Corporate firewall and direct incoming traffic on that port to a specific IP on our internal network. Being the paranoid that I am, I do not want to do this but I need better reasons/ammunition other than saying "it would be bad". I am looking for pointers to information hopefully in support of my fear of M$ security. Also, the more recent the information the better.
More information is certainly needed; a: Can the target server be isolated from other hosts? Extranet b: Will this server have a separated Active Directory server? c: What applications are needed by external users? d: What applications are needed by internal users (admins)? e: Can the MS host administrators manage the separation of these different users? f: Is this just the only host, or are there more to come? g: Do you have a VPN? Maybe this is the time to propose one. h: Does someone have the responsibility to review Event log files on this host?
Not being close minded, I would also be interested in seeing any information which would make me feel warm and fuzzy about opening the port.
There is a ASP that offers its custom application via Terminal Services to businesses across the Internet. No special IPs are blocked, but most ports are blocked. But more importantly the systems are very much hardened, and account management is very tightly controlled, and user access to any host application is restricted. It works but it takes both network security and host security to work together to keep it working. My comfort level was not that high.
TIA __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- terminal services natfirewall (Jan 28)
- Re: terminal services R. DuFresne (Jan 28)
- Re: terminal services Don Kendrick (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services David Lang (Jan 28)
- Re: terminal services Duncan Sharp (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- <Possible follow-ups>
- RE: terminal services Noonan, Wesley (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Noonan, Wesley (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services Barney Wolff (Jan 28)
- RE: firewall design (was: RE: terminal services ) m p (Jan 29)
- RE: terminal services R. DuFresne (Jan 28)
- RE: terminal services Paul D. Robertson (Jan 28)
- RE: terminal services R. DuFresne (Jan 28)