I don't find implementing IPSEC troublesome, It can be easily configured
from GP and CA... Encryption for user-crentials/data access can be easily
achieved with this feature Microsoft has provided (Don't need to take any
extra licenses)
If you are not happy with passwords, increasing the windows minimum password
length might help and then in that case you can insist on users to use pass
phrases...
Not really sure if you want users to RDP into your windows servers.. 'cos
for accessing/sharing files, RDP would not be ideal as you might end up
giving access to other parts of the server (like OS, services etc) which is
not the requirement here.
Thought this might help as you don't need to invest anything extra...
Kind regards
Tima
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Jim Harrison
Sent: Tuesday, January 02, 2007 8:16 PM
To: focus-ms@securityfocus.com
Subject: RE: Secure Remote access - windows 2003
------------------------------------
Authentication should be strong. Something more than a password. [ No
budget for RSA securiD :-))) ]
- W2K3 SP1 RDP can be configured for certificate authentication, adding
server; not just client authentication to the mix. This goes a looong
way toward removing the RDP MITM threat that so many have feared.
Encryption for user-crentials/data access
- Same answer here; with certificate auth, you also get SSL encryption
of the whole session, from logon to logoff.
Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is
not simple and also you require Application Mode license.
- L2TP, IPSec and RDP v6 (required for cert auth) would all require
changes at the client machine. All provide the additional security (and
inconvenience) of limiting access to hosts configured for each protocol.
IPSec and L2TP (or PPTP, for that matter) are harder to spread across
clients because they all require specific configuration knowledge. RDP
needs only the v6 client (KB 925876).
- TS App Mode is required for more than 2 concurrent users. File copy
across the RDP channel is not related to TS App Mode.
The number of remote users - less than 100
- More than 3 concurrent users (including console) requires TS App Mode.
Cost effective , easy to implement and easy to manage solution sought
- the only management difficulty presented by App Mode is licensing and
user education. Otherwise, it's "just an RDP connection" that inherits
all the rights & privileges of that user account. Contrary to urban
myth, adding users to the Admins group is *not* required for TS access
to a machine.
Jim
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of dubaisans dubai
Sent: Monday, January 01, 2007 8:17 PM
To: focus-ms@securityfocus.com
Subject: Secure Remote access - windows 2003
I am planning to provide remote access from Internet to a windows 2003
domain
controller.User-ids, NTFS permissions are all configured.
The objective is file sharing and access.
Files will need to be copied. The machine has valid Internet IP address
and is
sitting behind a Firewall.
I would like to keep solution independent of Firewall.This will be
accessed by roaming users. I am thinking of something like 0penssh for
windows or maybe just GUI based Secure-FTP
Challenges I am facing
------------------------------------
Authentication should be strong. Something more than a password. [ No
budget for RSA securiD :-))) ]
Encryption for user-crentials/data access
Options considered
----------------------------------
I read W2K3 L2TP/IPSEC - looks complex. Terminal services - File copy is
not simple and also you require Application Mode license.
The number of remote users - less than 100
Cost effective , easy to implement and easy to manage solution sought
All mail to and from this domain is GFI-scanned.
