Announcement

Collapse
No announcement yet.

Remote Access Benefits???

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • AlxRogan
    replied
    Originally posted by Voltage Spike
    Isn't this the very point of the -console flag? Although I suppose the flag is useless unless you are running Microsoft Windows Server 2003 (before that the console wasn't available as a "feature" of the protocol).
    You're right, I haven't tried that with 2003 so I can't say with it. I've just been burned badly with 2000 Server, and most of the software I've messed with still tell you to install it locally. Ah..the majesty of KVM over IP. :)

    Leave a comment:


  • Voltage Spike
    replied
    Originally posted by AlxRogan
    with VNC you are connecting to the actual console of the running system
    Isn't this the very point of the -console flag? Although I suppose the flag is useless unless you are running Microsoft Windows Server 2003 (before that the console wasn't available as a "feature" of the protocol).

    Leave a comment:


  • AlxRogan
    replied
    Originally posted by Voltage Spike
    While I'm all for using more open tools, what would be the advantage of VNC? Security-wise, capabilities, convenience? It would seem to me that RDP is faster, tunnels sound, and is running over the same SSL connection.
    From a capability perspective, with VNC you are connecting to the actual console of the running system, versus a 'virtual terminal' with Windows Remote Desktop/Terminal Server. Even though you can go into 'Install Mode' with RDP, it doesn't work the same as VNC. Installing software through an RDP session is not recommended unless the software is designed to be installed that way. The whole HKEY_CURRENT_USER registry hive is very sensitive to access method.

    /me goes back to sleep

    Leave a comment:


  • Voltage Spike
    replied
    Originally posted by Deviant Ollam
    use VNC
    While I'm all for using more open tools, what would be the advantage of VNC? Security-wise, capabilities, convenience? It would seem to me that RDP is faster, tunnels sound, and is running over the same SSL connection.

    Leave a comment:


  • skroo
    replied
    Originally posted by Deviant Ollam
    VNC, connect through an SSL tunnel.
    Option 2: UltraVNC. Supports PSK encryption out of the box (well, with a little tweaking here and there).

    Leave a comment:


  • Deviant Ollam
    replied
    Originally posted by FunkyChicken
    i dont actually need access to the data on the server but instead just need to be able to control the server from home, i.e. running certain programs on the server, or even just simply viewing the current print jobs, what other option are there?
    use VNC... and connect to it through an SSL tunnel. WinSSL is pretty idiot-proof. you'll need to use OpenSSL to create a .pem certificate file for the server. if you need help shoot me a PM. you should be able to set it up pretty easily, tho.
    Last edited by Deviant Ollam; March 2, 2006, 18:19.

    Leave a comment:


  • FunkyChicken
    replied
    thanks for all the excellent help guys.

    i dont actually need access to the data on the server but instead just need to be able to control the server from home, i.e. running certain programs on the server, or even just simply viewing the current print jobs, what other option are there?

    cheers guys

    Leave a comment:


  • domi28
    replied
    Originally posted by FunkyChicken
    Hi there guys,

    I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.

    My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?

    We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.

    Cheers in advance Guys
    Based on previous experience, trying to convince your boss using technical arguments may not be the easiest way forward. It may be worth trying to agree a set of guidelines or a new policy that defines your remote access procedures.

    Things to consider include the security of your own PC, how secure your access method is, and what you can do once you have gained access. The hardest bit is the access method and you have already received some excellent advice on the forum. It is always worthwhile defining the security measures you take on the remote PC; FW / AV / IDS etc etc.

    I notice you mention the Data Protection Act; Your boss may have a different view of the value of the data on the server. Do you actually need to have access to the data, or just the server itself?

    Leave a comment:


  • skroo
    replied
    Originally posted by Voltage Spike
    If a VPN is available, the Terminal Service need not be visible to the outside world. All traffic on the public network will be strongly encrypted, but, depending on configuration, you might be placing your home computer inside the firewall.
    What Voltage Spike said.

    As for the presence of Terminal Services itself, has the lack of such a service prevented remote attacks against Microsoft Windows in the past?
    To be honest, I'm not aware of (nor have I ever had) an issue resulting from Terminal Services being Internet-facing, apart from the usual abuse-of-credentials problem you'd have with any remote access service in that context. Personally, though, I wouldn't do it - running it only on an interface behind the VPN is a good idea. Of course, if this box is also exposing IIS (or other routinely-molested Windows services) to teh intarweb, it should be fully DMZ'd to begin with.

    Also, even if you're doing that, your Group Policy should limit who does and does not have access to it internally. Your domain admins are probably the only ones who need to be able to access Terminal Services on servers (helpdesk may need RDP for troubleshooting XP boxes); it might not be a bad idea to pull everyone else out of the 'Allow Terminal Services' object.

    Leave a comment:


  • Voltage Spike
    replied
    If a VPN is available, the Terminal Service need not be visible to the outside world. All traffic on the public network will be strongly encrypted, but, depending on configuration, you might be placing your home computer inside the firewall.

    You could use TLS (the same technology we use for securing web sites). The system might still be a target, but information leakage would be less of a concern.

    Does the server already offer a service that allows tunneling (I'm thinking SSH here)?

    As simple as it sounds, changing the port number is likely to deflect 80% of the attention the server might otherwise have drawn.

    As for the presence of Terminal Services itself, has the lack of such a service prevented remote attacks against Microsoft Windows in the past?

    Leave a comment:


  • xwred1
    replied
    I think you should be careful that your home machine doesn't carry trojans or send spyware or worms into the corporate network. Thats the next biggest concern I think, besides the obvious job of locking down the RDP server.

    Leave a comment:


  • TheCotMan
    replied
    There are other problems that arise when people telecommute:
    Who is responsible for ensuring workstations are "ergonomically configured" so to mitigate risk to kinds of work injuries?

    When working from home, who is responsible for injuries sustained while "on the job" ? If injured, will workman's comp apply?

    Other than the above, other security problems apply too, and many are comparable to taking a company laptop out on the road and then bringing it back behind the "protection" of the firewall/filters incuding mail-based malware scanners.

    If you have a lot of physical security at work, that is designed to protect data or resources (like a bank, or the military, or a business with trade secrets, or other similar cases) then, does knowledge that your home computer can bypass the firewall for remote access make your home "the weakest link" for some skilled computer criminal? (Key logger -> access to your network without having to break your work's phyical security.)

    Leave a comment:


  • SlackJaw
    replied
    Originally posted by FunkyChicken
    Hi there guys,

    I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.

    My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?

    We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.

    Cheers in advance Guys
    You can configure the properties of the terminal server’s RDP-TCP connection to provide better protection. There are 4 areas to do this:

    Restrict the number of client sessions that can remain active on the server (making it easier to keep track of who is connected)

    Set session time limits (helping to ensure that sessions are not left unattended and active for long periods)

    Configure encryption levels You're using Remote Desktop Protocol with RC4 encryption

    Set permissions for users and groups on the terminal server

    Leave a comment:


  • FunkyChicken
    started a topic Remote Access Benefits???

    Remote Access Benefits???

    Hi there guys,

    I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.

    My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?

    We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.

    Cheers in advance Guys
Working...
X