Firewall Wizards mailing list archives

Re: terminal services

From: Duncan Sharp <drsharp () pacbell net>
Date: Tue, 28 Jan 2003 14:32:22 -0800

natfirewall () netscape net wrote:

Greetings,

I am being asked to open port 3389 on our Corporate firewall and direct incoming traffic on that port to a specific 
IP on our internal network.  Being the paranoid that I am, I do not want to do this but I need better 
reasons/ammunition other than saying "it would be bad".  I am looking for pointers to information hopefully in 
support of my fear of M$ security.  Also,  the more recent the information the better.


More information is certainly needed;

a: Can the target server be isolated from other hosts? Extranet
b: Will this server have a separated Active Directory server?
c: What applications are needed by external users?
d: What applications are needed by internal users (admins)?
e: Can the MS host administrators manage the separation of these different users?
f: Is this just the only host, or are there more to come?
g: Do you have a VPN? Maybe this is the time to propose one.
h: Does someone have the responsibility to review Event log files on this host?


Not being close minded,  I would also be interested in seeing any information which would make me feel warm and fuzzy 
about opening the port.


There is a ASP that offers its custom application via Terminal Services to businesses
across the Internet. No special IPs are blocked, but most ports are blocked. But more
importantly the systems are very much hardened, and account management is
very tightly controlled, and user access to any host application is restricted. It works
but it takes both network security and host security to work together to keep it
working.

My comfort level was not that high.


TIA

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

terminal services natfirewall (Jan 28)
- Re: terminal services R. DuFresne (Jan 28)
- Re: terminal services Don Kendrick (Jan 28)
- Re: terminal services Paul D. Robertson (Jan 28)
- Re: terminal services David Lang (Jan 28)
- Re: terminal services Duncan Sharp (Jan 28)
  - Re: terminal services Paul D. Robertson (Jan 28)
- <Possible follow-ups>
- RE: terminal services Noonan, Wesley (Jan 28)
- Re: terminal services Steven M. Bellovin (Jan 28)
- RE: terminal services Noonan, Wesley (Jan 28)
  - RE: terminal services R. DuFresne (Jan 28)
    - RE: terminal services Paul D. Robertson (Jan 28)
    - Re: terminal services Barney Wolff (Jan 28)
    - RE: firewall design (was: RE: terminal services ) m p (Jan 29)
  - RE: terminal services Paul D. Robertson (Jan 28)
    - RE: terminal services R. DuFresne (Jan 28)

(Thread continues...)