Sven,
I assume that you have TS configured for "Remote Admin" as opposed to
Application mode which would require a licensing server.
The only requirement for logging onto a TS session configured for remote
admin is that the account logging into TS be a member of the local admin
group. Not necessarily the "admin" account.
So, I would just create a group for the admins you need, and create
local accounts on the servers they need to admin.. Add the other local
group with the accounts in it, to the local admin group on the servers.
This solves your issue.
Brad Davenport, Director
Network Services
eGistics Inc.
www.egisticsinc.com
bdavenport@egisticsinc.com
972-851-3131
214-995-5629
-----Original Message-----
From: sven.de.jonghe@kindengezin.be
[mailto:sven.de.jonghe@kindengezin.be]
Sent: Tuesday, February 22, 2005 6:48 AM
To: firewalls@securityfocus.com
Subject: authenticating admins in DMZ
Hi,
We have a bunch of admins that need to administer servers in the DMZ
using Terminal Services. Up till now, they are all logging in using the
same administrator account on the server. I would prefer having them log
in using their domain account but obviously, the DMZ servers are not
domain members.
What would be the most secure way to set up authentication in the DMZ?
Should I create a new domain in the DMZ and make all servers member of
this new domain and provide a one way trust to our LAN Domain?
Would it be good to have both DC's communicate via IPSEC?
I don't want any replication of LAN accounts to the DMZ.
I also don't need authentication between servers in the DMZ or webusers
logging in a website.
I just need admins logging on remotely via TS to be authenticated by our
LAN DC.
Is all this a good idea? What are the possible threats involved?
thanx
