TS Client - How Secure?

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

Question, How secure is the TS client (Remote Desktop Connection from
WinXP)? Can you make it reasonably secure? I have run sessions through
VPNs but I am wondering if that is necessary?

Any info would be appreciated.

Cheers
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

RDP is encrypted with 128-bit bi-directional RC4 Encryption by
default (and if the client supports 128-bit).
If your Terminal Server is behind a firewall and you have a strong
password policy, there's no reason for VPN from a security point of
view. And if you don't have full control over the other end of the
VPN tunnel (a home PC), then I would say VPN is less secure.

_________________________________________________________
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*

"Un1c0rn" <un1c0rn(S p_am Ki_ll_er)@yahoo.com> wrote on 09 jul
2005:

> Question, How secure is the TS client (Remote Desktop Connection
> from WinXP)? Can you make it reasonably secure? I have run
> sessions through VPNs but I am wondering if that is necessary?
>
> Any info would be appreciated.
>
> Cheers
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

In article <Xns9690A9DE963B5veranoesthemutforsse@207.46.248.16>,
Vera.Noest@remove-this.hem.utfors.se says...
> RDP is encrypted with 128-bit bi-directional RC4 Encryption by
> default (and if the client supports 128-bit).
> If your Terminal Server is behind a firewall and you have a strong
> password policy, there's no reason for VPN from a security point of
> view. And if you don't have full control over the other end of the
> VPN tunnel (a home PC), then I would say VPN is less secure.

Sure there is - if you "Trust" that there are no exploits in the MS TS
service then you are correct, you don't need a VPN.

On the other hand, I don't trust the OS to be exploit free and always
put our servers behind a Firewall Appliance at the border and one that
is not setup to authenticate with the domain - so that domain accounts
with weak passwords can't get users pass the firewall.

Our solution is to ALWAYS setup a firewall appliance, users VPN into the
appliance, rule per use to restrict the VPN user to a specific set of
IP/Port combinations inside the lan, and then they still have to
authenticate with the domain/network. This type of mind-set has kept our
clients uncompromised for as along as they have been using public facing
services.

--
--
spam999free@rrohio.com
remove 999 in order to email me
 
G

Guest

Guest
Archived from groups: microsoft.public.windowsnt.terminalserver.client (More info?)

Leythos <void@nowhere.lan> wrote on 12 jul 2005:

> In article <Xns9690A9DE963B5veranoesthemutforsse@207.46.248.16>,
> Vera.Noest@remove-this.hem.utfors.se says...
>> RDP is encrypted with 128-bit bi-directional RC4 Encryption by
>> default (and if the client supports 128-bit).
>> If your Terminal Server is behind a firewall and you have a
>> strong password policy, there's no reason for VPN from a
>> security point of view. And if you don't have full control over
>> the other end of the VPN tunnel (a home PC), then I would say
>> VPN is less secure.
>
> Sure there is - if you "Trust" that there are no exploits in the
> MS TS service then you are correct, you don't need a VPN.
>
> On the other hand, I don't trust the OS to be exploit free and
> always put our servers behind a Firewall Appliance at the border
> and one that is not setup to authenticate with the domain - so
> that domain accounts with weak passwords can't get users pass
> the firewall.
>
> Our solution is to ALWAYS setup a firewall appliance, users VPN
> into the appliance, rule per use to restrict the VPN user to a
> specific set of IP/Port combinations inside the lan, and then
> they still have to authenticate with the domain/network. This
> type of mind-set has kept our clients uncompromised for as along
> as they have been using public facing services.

OK, I understand what you mean, but the funny thing is that to the
best of my knowledge there have not been any known exploits of TS.

And of course you need a firewall and strong passwords, we totally
agree on that.

But I still think that VPN from a home PC (where the user is local
Administrator and has an unlimited amount of malware, spyware etc
running) into your corporate LAN is not the safest of possible
solutions.

_________________________________________________________
Vera Noest
MCSE,CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
*----------- Please reply in newsgroup -------------*
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom