You can create a secure TS environment. TS under VPN is overkill, since TS encrypts the data anyway. Use Terminal Services Configuration in Admin Tools and set it to use high encryption and limit logons to specific users. Jim Harrison MCP(NT4, 2K), A+, Network+, PCG ----- Original Message ----- From: "Edward Sullivan" <esullivan@xxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, November 06, 2001 09:33 Subject: [isalist] RE: Terminal services http://www.ISAserver.org Using Terminal Services to connect to a box on the Internet without first creating a PPTP VPN tunnel to the box is highly unrecommended, BTW. Hope this box is on your internal LAN, and not open to the world. Considering the nature of ISA, I would venture to guess it is on the Internet. You probably want to bind terminal services to your internal adapter ONLY, if you have not already done so. -----Original Message----- From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] Sent: Tuesday, November 06, 2001 11:26 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Terminal services http://www.ISAserver.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Heh... I actually performed a development edit for SANS for those documents before the NSA released them :) Thanks! At 11:23 AM 11/6/2001 -0600, you wrote: >http://www.ISAserver.org > > >Please reference the link below for the NSA's guide on securing Windows >2000. Highly recommended. > >http://nsa2.www.conxion.com/win2k/download.htm > >-----Original Message----- >From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] >Sent: Tuesday, November 06, 2001 11:14 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: Terminal services > > >http://www.ISAserver.org > > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Yep- just set up a filter that allows 3389 in, but only from a particular >remote address or addresses. > >Also, to be on the safe side, ensure the admin account is renamed (for >brute force attacks) and put a Legal Notice/Logon Banner on the box. > >hth > >AD > > >At 11:11 AM 11/6/2001 -0600, you wrote: > >http://www.ISAserver.org > > > > > >You may be able, I am not entirely sure, limit the connections to the > >port the Terminal Services uses to a specific IP range. I am no guru at > >ISA, but this may be possible. > > > >Mike > > > >-----Original Message----- > >From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx] > >Sent: Tuesday, November 06, 2001 11:09 AM > >To: [ISAserver.org Discussion List] > >Subject: [isalist] RE: Terminal services > > > > > >http://www.ISAserver.org > > > > > >Thanks > >Steve > > > >-----Original Message----- > >From: Mike Carlson [mailto:domitianx@xxxxxxxxxxxxx] > >Sent: 06 November 2001 17:06 > >To: [ISAserver.org Discussion List] > >Subject: [isalist] RE: Terminal services > > > > > >http://www.ISAserver.org > > > > > >Yes it is operating as designed. Think of it as basically someone > >walking up to the actual box. You cannot limit the display of the login > >screen by the person standing in front of the computer. The machine does > >not know who it is until they enter their information. > > > >Mike > > > >-----Original Message----- > >From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx] > >Sent: Tuesday, November 06, 2001 10:57 AM > >To: [ISAserver.org Discussion List] > >Subject: [isalist] Terminal services > > > > > >http://www.ISAserver.org > > > > > >Hi all > > > >I have just enabled terminal services for admin access. I works fine > >apart from the small issue of letting anyone and their dog connect. > >Obviously the cant login unless they know the password but is this the > >way it is supposed to work. I have created a rule to only let me and > >administrators to connect to know avail. > > > >Help > >Steve > >Steve Moffat > >Senior Engineer > >Optimum Computer Solutions > > > >Tel : +44(0)141 570 1283 > >Fax :+44(0)141 584 9479 > >Mobile : 07711 074 605 > > > >http://optimum.mine.nu > >steve@xxxxxxxxxxxxxxx > > > >Disclaimer: > >Optimum Computer Solutions is not responsible for any recommendation, > >solicitation, offer or agreement or any information about any > >transaction, customer account or account activity contained in this > >communication. > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion List as: > >domitianx@xxxxxxxxxxxxx To unsubscribe send a blank email to > >$subst('Email.Unsub') > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion List as: > >steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to > >$subst('Email.Unsub')Disclaimer: > >Optimum Computer Solutions is not responsible for any recommendation, > >solicitation, offer or agreement or any information about any > >transaction, customer account or account activity contained in this > >communication. > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion List as: > >domitianx@xxxxxxxxxxxxx To unsubscribe send a blank email to > >$subst('Email.Unsub') > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion List as: > >thor@xxxxxxxxxxxxxxx > >To unsubscribe send a blank email to $subst('Email.Unsub') > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1 > >iQA/AwUBO+gabohsmyD15h5gEQKcPgCgsaPyCW9HVMi4G8/Z54KEjPxPcewAoOgy >xaO9pdSKen6MlbUrYbVbtlbK >=2MYw >-----END PGP SIGNATURE----- > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >esullivan@xxxxxxx >To unsubscribe send a blank email to $subst('Email.Unsub') > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >thor@xxxxxxxxxxxxxxx >To unsubscribe send a blank email to $subst('Email.Unsub') -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBO+gdOohsmyD15h5gEQJ+cQCgg/C5k33aBY0RSXTBcDBH213uddAAn0kK USxjnZX5slCsSSAjmifQMcvP =FxKN -----END PGP SIGNATURE----- ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: esullivan@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')