TS access and Virus issue

Archived from groups: microsoft.public.win2000.security (More info?)

I have a vendor that wants to have access to an application on my server, I
was thinking about using TS, but I have concerns over viruses coming from the
vendors network. This is a financial database that the vendor would be
connecting to and he would not have access to any other areas of the server.
Is my concern about viruses valid, or do I have nothing to worry about? I am
also worried about overall security on the vendor site, if I give him access
to my server and he has security breach then my security is breached also..
right?. Hope someone can help me by shedding light on these issues
4 answers Last reply
More about access virus issue
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    "Bjarni" <Bjarni@discussions.microsoft.com> wrote in message
    news:9BCDE136-8F99-4CD4-B6C2-C9EAE7C93E1B@microsoft.com...
    > I have a vendor that wants to have access to an application on my server,
    I
    > was thinking about using TS, but I have concerns over viruses coming from
    the
    > vendors network. This is a financial database that the vendor would be
    > connecting to and he would not have access to any other areas of the
    server.
    > Is my concern about viruses valid, or do I have nothing to worry about? I
    am
    > also worried about overall security on the vendor site, if I give him
    access
    > to my server and he has security breach then my security is breached
    also..
    > right?. Hope someone can help me by shedding light on these issues

    I don't believe terminal services transfers anything other than screen
    shots, the location of your mouse, and what you type on your keyboard. If
    you are thinking about the fact that you have to open up your firewall to
    the internet for the TS specific ports then you really only have to worry if
    you aren't up to date with all the patches. You do have a firewall don't
    you?

    Joe
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Joe, thanks for your reply,

    I do have a firewall and and all my servers are upto date with all patches.
    What about drive mappings, doesn't open up the possibility of viruses? I have
    worked with TS and remote users in the past so I know about screen draws etc.
    but never had to worry about this because I controled both sides, which in
    this case I do not.

    I have multiple servers, over 400 users and I don't feel comfortable giving
    an outside vendor access like this, so I guess I am trying to come up with
    something other then my concerns about TS and it's security issues from the
    outside.
    TIA for any follow-ups
    "Joe" wrote:

    >
    > "Bjarni" <Bjarni@discussions.microsoft.com> wrote in message
    > news:9BCDE136-8F99-4CD4-B6C2-C9EAE7C93E1B@microsoft.com...
    > > I have a vendor that wants to have access to an application on my server,
    > I
    > > was thinking about using TS, but I have concerns over viruses coming from
    > the
    > > vendors network. This is a financial database that the vendor would be
    > > connecting to and he would not have access to any other areas of the
    > server.
    > > Is my concern about viruses valid, or do I have nothing to worry about? I
    > am
    > > also worried about overall security on the vendor site, if I give him
    > access
    > > to my server and he has security breach then my security is breached
    > also..
    > > right?. Hope someone can help me by shedding light on these issues
    >
    > I don't believe terminal services transfers anything other than screen
    > shots, the location of your mouse, and what you type on your keyboard. If
    > you are thinking about the fact that you have to open up your firewall to
    > the internet for the TS specific ports then you really only have to worry if
    > you aren't up to date with all the patches. You do have a firewall don't
    > you?
    >
    > Joe
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    If you can give that user TS access without being a local administrator, you
    can minimize the risk. Otherwise is someone gets control of his computer
    they may get control of your computer. If you can do such for that user,
    make sure that you use complex passwords on your computer and enable an
    account lockout policy that has a threshold of no less than ten bad
    attempts. As far a viruses , you can greatly reduce the risk if you disable
    clipboard and other mappings in the RDP properties for client settings
    which would however affect all users connecting via TS. You can configure
    RDP properties in Terminal Services Configuration/connections. I would also
    make sure that the built in administrator account is not allowed to logon
    through TS in it's account properties and consider giving the user logon
    time restrictions if possible to minimize risk of someone trying to gain
    access at times when there is no reason to allow that user access such as
    nights and weekends perhaps or simply dictate to him the hours that he can
    access the computer via TS. --- Steve


    "Bjarni" <Bjarni@discussions.microsoft.com> wrote in message
    news:9BCDE136-8F99-4CD4-B6C2-C9EAE7C93E1B@microsoft.com...
    >I have a vendor that wants to have access to an application on my server, I
    > was thinking about using TS, but I have concerns over viruses coming from
    > the
    > vendors network. This is a financial database that the vendor would be
    > connecting to and he would not have access to any other areas of the
    > server.
    > Is my concern about viruses valid, or do I have nothing to worry about? I
    > am
    > also worried about overall security on the vendor site, if I give him
    > access
    > to my server and he has security breach then my security is breached
    > also..
    > right?. Hope someone can help me by shedding light on these issues
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi,

    If you are really concerned about this, prohibit the mapping of local
    drivers over terminal services. This will prevent them from mapping their
    local drives to your server (but it may limit their work). This way all they
    can do is transfer files on the network where the terminal server is.

    Terminal session itself is encrypted (I think Windows 2000 use 56 bit
    encryption while Windows 2003 use 128 bit -- also depends on the client that
    they use...). Assign your customer strong - hard to guess password.
    Personally I limit access to terminal servers only to customers IP addresses
    not the whole internet (I don't want every "kid" on the internet trying out
    the passwords on logon screen)... Another option would be to first connect
    to VPN server and only then the vendor is allowed to connect to the TS (and
    only TS over TCP 3389).

    Note, if you have TS located on LAN with other clients there is nothing
    limiting your vendor to connect to other computers on LAN from this TS
    server...

    Mike

    "Bjarni" <Bjarni@discussions.microsoft.com> wrote in message
    news:9BCDE136-8F99-4CD4-B6C2-C9EAE7C93E1B@microsoft.com...
    > I have a vendor that wants to have access to an application on my server,
    I
    > was thinking about using TS, but I have concerns over viruses coming from
    the
    > vendors network. This is a financial database that the vendor would be
    > connecting to and he would not have access to any other areas of the
    server.
    > Is my concern about viruses valid, or do I have nothing to worry about? I
    am
    > also worried about overall security on the vendor site, if I give him
    access
    > to my server and he has security breach then my security is breached
    also..
    > right?. Hope someone can help me by shedding light on these issues
Ask a new question

Read More

Security Virus Servers Windows