Originally posted by Voltage Spike
-
You're right, I haven't tried that with 2003 so I can't say with it. I've just been burned badly with 2000 Server, and most of the software I've messed with still tell you to install it locally. Ah..the majesty of KVM over IP. :) -
Isn't this the very point of the -console flag? Although I suppose the flag is useless unless you are running Microsoft Windows Server 2003 (before that the console wasn't available as a "feature" of the protocol).Originally posted by AlxRoganLeave a comment:
-
From a capability perspective, with VNC you are connecting to the actual console of the running system, versus a 'virtual terminal' with Windows Remote Desktop/Terminal Server. Even though you can go into 'Install Mode' with RDP, it doesn't work the same as VNC. Installing software through an RDP session is not recommended unless the software is designed to be installed that way. The whole HKEY_CURRENT_USER registry hive is very sensitive to access method.Originally posted by Voltage Spike
/me goes back to sleepLeave a comment:
-
While I'm all for using more open tools, what would be the advantage of VNC? Security-wise, capabilities, convenience? It would seem to me that RDP is faster, tunnels sound, and is running over the same SSL connection.Originally posted by Deviant OllamLeave a comment:
-
use VNC... and connect to it through an SSL tunnel. WinSSL is pretty idiot-proof. you'll need to use OpenSSL to create a .pem certificate file for the server. if you need help shoot me a PM. you should be able to set it up pretty easily, tho.Originally posted by FunkyChickenLast edited by Deviant Ollam; March 2, 2006, 17:19.Leave a comment:
-
thanks for all the excellent help guys.
i dont actually need access to the data on the server but instead just need to be able to control the server from home, i.e. running certain programs on the server, or even just simply viewing the current print jobs, what other option are there?
cheers guysLeave a comment:
-
Based on previous experience, trying to convince your boss using technical arguments may not be the easiest way forward. It may be worth trying to agree a set of guidelines or a new policy that defines your remote access procedures.Originally posted by FunkyChicken
Things to consider include the security of your own PC, how secure your access method is, and what you can do once you have gained access. The hardest bit is the access method and you have already received some excellent advice on the forum. It is always worthwhile defining the security measures you take on the remote PC; FW / AV / IDS etc etc.
I notice you mention the Data Protection Act; Your boss may have a different view of the value of the data on the server. Do you actually need to have access to the data, or just the server itself?Leave a comment:
-
What Voltage Spike said.Originally posted by Voltage Spike
To be honest, I'm not aware of (nor have I ever had) an issue resulting from Terminal Services being Internet-facing, apart from the usual abuse-of-credentials problem you'd have with any remote access service in that context. Personally, though, I wouldn't do it - running it only on an interface behind the VPN is a good idea. Of course, if this box is also exposing IIS (or other routinely-molested Windows services) to teh intarweb, it should be fully DMZ'd to begin with.As for the presence of Terminal Services itself, has the lack of such a service prevented remote attacks against Microsoft Windows in the past?
Also, even if you're doing that, your Group Policy should limit who does and does not have access to it internally. Your domain admins are probably the only ones who need to be able to access Terminal Services on servers (helpdesk may need RDP for troubleshooting XP boxes); it might not be a bad idea to pull everyone else out of the 'Allow Terminal Services' object.Leave a comment:
-
If a VPN is available, the Terminal Service need not be visible to the outside world. All traffic on the public network will be strongly encrypted, but, depending on configuration, you might be placing your home computer inside the firewall.
You could use TLS (the same technology we use for securing web sites). The system might still be a target, but information leakage would be less of a concern.
Does the server already offer a service that allows tunneling (I'm thinking SSH here)?
As simple as it sounds, changing the port number is likely to deflect 80% of the attention the server might otherwise have drawn.
As for the presence of Terminal Services itself, has the lack of such a service prevented remote attacks against Microsoft Windows in the past?Leave a comment:
-
I think you should be careful that your home machine doesn't carry trojans or send spyware or worms into the corporate network. Thats the next biggest concern I think, besides the obvious job of locking down the RDP server.Leave a comment:
-
There are other problems that arise when people telecommute:
Who is responsible for ensuring workstations are "ergonomically configured" so to mitigate risk to kinds of work injuries?
When working from home, who is responsible for injuries sustained while "on the job" ? If injured, will workman's comp apply?
Other than the above, other security problems apply too, and many are comparable to taking a company laptop out on the road and then bringing it back behind the "protection" of the firewall/filters incuding mail-based malware scanners.
If you have a lot of physical security at work, that is designed to protect data or resources (like a bank, or the military, or a business with trade secrets, or other similar cases) then, does knowledge that your home computer can bypass the firewall for remote access make your home "the weakest link" for some skilled computer criminal? (Key logger -> access to your network without having to break your work's phyical security.)Leave a comment:
-
You can configure the properties of the terminal server’s RDP-TCP connection to provide better protection. There are 4 areas to do this:Originally posted by FunkyChicken
Restrict the number of client sessions that can remain active on the server (making it easier to keep track of who is connected)
Set session time limits (helping to ensure that sessions are not left unattended and active for long periods)
Configure encryption levels You're using Remote Desktop Protocol with RC4 encryption
Set permissions for users and groups on the terminal serverLeave a comment:
-
Remote Access Benefits???
Hi there guys,
I have set up remote access at work so that when im at home i can access the work server using mstsc (Remote Desktop Connection). This allows me to make changes to the configuration and to possibly fix any problems that arrise.
My boss is not computer literate and is worried about the security issues of allowing remote access, how can i convince him that it is a benefit to both myself and the company to use remote access?
We have a fire wall in place and i have set up very tight rules on it. The only reason for keeping the datasafe on the server is to satisfy the rules of the Data Protection Act.
Cheers in advance Guys
Leave a comment: