RE: Terminal services

• From: Thor@xxxxxxxxxxxxxxx
• To: isalist@xxxxxxxxxxxxx
• Date: Tue, 06 Nov 2001 09:42:13 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


If you leave it open to the world, yes... But if you limit the remote IP to 
a couple of boxes (along with proper TS security configurations) then it is 
OK.  I would also recommend L2TP, not PPTP, as the creds over PPTP are 
breakable.

In general, I absolutely agree.  But, the poster asked how to do it, so 
that is the question I answered....


At 11:33 AM 11/6/2001 -0600, you wrote:
>http://www.ISAserver.org
>
>
>Using Terminal Services to connect to a box on the Internet without first
>creating a PPTP VPN tunnel to the box is highly unrecommended, BTW. Hope
>this box is on your internal LAN, and not open to the world. Considering the
>nature of ISA, I would venture to guess it is on the Internet. You probably
>want to bind terminal services to your internal adapter ONLY, if you have
>not already done so.
>
>-----Original Message-----
>From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
>Sent: Tuesday, November 06, 2001 11:26 AM
>To: [ISAserver.org Discussion List]
>Subject: [isalist] RE: Terminal services
>
>
>http://www.ISAserver.org
>
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Heh... I actually performed a development edit for SANS for those documents
>before the NSA released them :)
>
>
>Thanks!
>
>At 11:23 AM 11/6/2001 -0600, you wrote:
> >http://www.ISAserver.org
> >
> >
> >Please reference the link below for the NSA's guide on securing Windows
> >2000. Highly recommended.
> >
> >http://nsa2.www.conxion.com/win2k/download.htm
> >
> >-----Original Message-----
> >From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx]
> >Sent: Tuesday, November 06, 2001 11:14 AM
> >To: [ISAserver.org Discussion List]
> >Subject: [isalist] RE: Terminal services
> >
> >
> >http://www.ISAserver.org
> >
> >
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Yep- just set up a filter that allows 3389 in, but only from a particular
> >remote address or addresses.
> >
> >Also, to be on the safe side, ensure the admin account is renamed (for
> >brute force attacks) and put a Legal Notice/Logon Banner on the box.
> >
> >hth
> >
> >AD
> >
> >
> >At 11:11 AM 11/6/2001 -0600, you wrote:
> > >http://www.ISAserver.org
> > >
> > >
> > >You may be able, I am not entirely sure, limit the connections to the
> > >port the Terminal Services uses to a specific IP range. I am no guru at
> > >ISA, but this may be possible.
> > >
> > >Mike
> > >
> > >-----Original Message-----
> > >From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx]
> > >Sent: Tuesday, November 06, 2001 11:09 AM
> > >To: [ISAserver.org Discussion List]
> > >Subject: [isalist] RE: Terminal services
> > >
> > >
> > >http://www.ISAserver.org
> > >
> > >
> > >Thanks
> > >Steve
> > >
> > >-----Original Message-----
> > >From: Mike Carlson [mailto:domitianx@xxxxxxxxxxxxx]
> > >Sent: 06 November 2001 17:06
> > >To: [ISAserver.org Discussion List]
> > >Subject: [isalist] RE: Terminal services
> > >
> > >
> > >http://www.ISAserver.org
> > >
> > >
> > >Yes it is operating as designed. Think of it as basically someone
> > >walking up to the actual box. You cannot limit the display of the login
> > >screen by the person standing in front of the computer. The machine does
> > >not know who it is until they enter their information.
> > >
> > >Mike
> > >
> > >-----Original Message-----
> > >From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx]
> > >Sent: Tuesday, November 06, 2001 10:57 AM
> > >To: [ISAserver.org Discussion List]
> > >Subject: [isalist] Terminal services
> > >
> > >
> > >http://www.ISAserver.org
> > >
> > >
> > >Hi all
> > >
> > >I have just enabled terminal services for admin access. I works fine
> > >apart from the small issue of letting anyone and their dog connect.
> > >Obviously the cant login unless they know the password but is this the
> > >way it is supposed to work. I have created a rule to only let me and
> > >administrators to connect to know avail.
> > >
> > >Help
> > >Steve
> > >Steve Moffat
> > >Senior Engineer
> > >Optimum Computer Solutions
> > >
> > >Tel : +44(0)141 570 1283
> > >Fax :+44(0)141 584 9479
> > >Mobile : 07711 074 605
> > >
> > >http://optimum.mine.nu
> > >steve@xxxxxxxxxxxxxxx
> > >
> > >Disclaimer:
> > >Optimum Computer Solutions is not responsible for any recommendation,
> > >solicitation, offer or agreement or any information about any
> > >transaction, customer account or account activity contained in this
> > >communication.
> > >
> > >------------------------------------------------------
> > >You are currently subscribed to this ISAserver.org Discussion List as:
> > >domitianx@xxxxxxxxxxxxx To unsubscribe send a blank email to
> > >$subst('Email.Unsub')
> > >
> > >------------------------------------------------------
> > >You are currently subscribed to this ISAserver.org Discussion List as:
> > >steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
> > >$subst('Email.Unsub')Disclaimer:
> > >Optimum Computer Solutions is not responsible for any recommendation,
> > >solicitation, offer or agreement or any information about any
> > >transaction, customer account or account activity contained in this
> > >communication.
> > >
> > >------------------------------------------------------
> > >You are currently subscribed to this ISAserver.org Discussion List as:
> > >domitianx@xxxxxxxxxxxxx To unsubscribe send a blank email to
> > >$subst('Email.Unsub')
> > >
> > >------------------------------------------------------
> > >You are currently subscribed to this ISAserver.org Discussion List as:
> > >thor@xxxxxxxxxxxxxxx
> > >To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: PGP 7.1
> >
> >iQA/AwUBO+gabohsmyD15h5gEQKcPgCgsaPyCW9HVMi4G8/Z54KEjPxPcewAoOgy
> >xaO9pdSKen6MlbUrYbVbtlbK
> >=2MYw
> >-----END PGP SIGNATURE-----
> >
> >------------------------------------------------------
> >You are currently subscribed to this ISAserver.org Discussion List as:
> >esullivan@xxxxxxx
> >To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >------------------------------------------------------
> >You are currently subscribed to this ISAserver.org Discussion List as:
> >thor@xxxxxxxxxxxxxxx
> >To unsubscribe send a blank email to $subst('Email.Unsub')
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBO+gdOohsmyD15h5gEQJ+cQCgg/C5k33aBY0RSXTBcDBH213uddAAn0kK
>USxjnZX5slCsSSAjmifQMcvP
>=FxKN
>-----END PGP SIGNATURE-----
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as:
>esullivan@xxxxxxx
>To unsubscribe send a blank email to $subst('Email.Unsub')
>
>------------------------------------------------------
>You are currently subscribed to this ISAserver.org Discussion List as: 
>thor@xxxxxxxxxxxxxxx
>To unsubscribe send a blank email to $subst('Email.Unsub')

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBO+gg9YhsmyD15h5gEQIjYACg40BTNHSjXfGQtnvl4P/GT8HF9OAAniIZ
xoAM22nx4121yea8yX5vXkO9
=qRPB
-----END PGP SIGNATURE-----

Other related posts:

• » Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services
• » RE: Terminal services

1. Home
2. isalist
3. Archive
4. 11-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---