-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you leave it open to the world, yes... But if you limit the remote IP to a couple of boxes (along with proper TS security configurations) then it is OK. I would also recommend L2TP, not PPTP, as the creds over PPTP are breakable. In general, I absolutely agree. But, the poster asked how to do it, so that is the question I answered.... At 11:33 AM 11/6/2001 -0600, you wrote: >http://www.ISAserver.org > > >Using Terminal Services to connect to a box on the Internet without first >creating a PPTP VPN tunnel to the box is highly unrecommended, BTW. Hope >this box is on your internal LAN, and not open to the world. Considering the >nature of ISA, I would venture to guess it is on the Internet. You probably >want to bind terminal services to your internal adapter ONLY, if you have >not already done so. > >-----Original Message----- >From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] >Sent: Tuesday, November 06, 2001 11:26 AM >To: [ISAserver.org Discussion List] >Subject: [isalist] RE: Terminal services > > >http://www.ISAserver.org > > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >Heh... I actually performed a development edit for SANS for those documents >before the NSA released them :) > > >Thanks! > >At 11:23 AM 11/6/2001 -0600, you wrote: > >http://www.ISAserver.org > > > > > >Please reference the link below for the NSA's guide on securing Windows > >2000. Highly recommended. > > > >http://nsa2.www.conxion.com/win2k/download.htm > > > >-----Original Message----- > >From: Thor@xxxxxxxxxxxxxxx [mailto:Thor@xxxxxxxxxxxxxxx] > >Sent: Tuesday, November 06, 2001 11:14 AM > >To: [ISAserver.org Discussion List] > >Subject: [isalist] RE: Terminal services > > > > > >http://www.ISAserver.org > > > > > > > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >Yep- just set up a filter that allows 3389 in, but only from a particular > >remote address or addresses. > > > >Also, to be on the safe side, ensure the admin account is renamed (for > >brute force attacks) and put a Legal Notice/Logon Banner on the box. > > > >hth > > > >AD > > > > > >At 11:11 AM 11/6/2001 -0600, you wrote: > > >http://www.ISAserver.org > > > > > > > > >You may be able, I am not entirely sure, limit the connections to the > > >port the Terminal Services uses to a specific IP range. I am no guru at > > >ISA, but this may be possible. > > > > > >Mike > > > > > >-----Original Message----- > > >From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx] > > >Sent: Tuesday, November 06, 2001 11:09 AM > > >To: [ISAserver.org Discussion List] > > >Subject: [isalist] RE: Terminal services > > > > > > > > >http://www.ISAserver.org > > > > > > > > >Thanks > > >Steve > > > > > >-----Original Message----- > > >From: Mike Carlson [mailto:domitianx@xxxxxxxxxxxxx] > > >Sent: 06 November 2001 17:06 > > >To: [ISAserver.org Discussion List] > > >Subject: [isalist] RE: Terminal services > > > > > > > > >http://www.ISAserver.org > > > > > > > > >Yes it is operating as designed. Think of it as basically someone > > >walking up to the actual box. You cannot limit the display of the login > > >screen by the person standing in front of the computer. The machine does > > >not know who it is until they enter their information. > > > > > >Mike > > > > > >-----Original Message----- > > >From: Steve Moffat [mailto:steve@xxxxxxxxxxxxxxx] > > >Sent: Tuesday, November 06, 2001 10:57 AM > > >To: [ISAserver.org Discussion List] > > >Subject: [isalist] Terminal services > > > > > > > > >http://www.ISAserver.org > > > > > > > > >Hi all > > > > > >I have just enabled terminal services for admin access. I works fine > > >apart from the small issue of letting anyone and their dog connect. > > >Obviously the cant login unless they know the password but is this the > > >way it is supposed to work. I have created a rule to only let me and > > >administrators to connect to know avail. > > > > > >Help > > >Steve > > >Steve Moffat > > >Senior Engineer > > >Optimum Computer Solutions > > > > > >Tel : +44(0)141 570 1283 > > >Fax :+44(0)141 584 9479 > > >Mobile : 07711 074 605 > > > > > >http://optimum.mine.nu > > >steve@xxxxxxxxxxxxxxx > > > > > >Disclaimer: > > >Optimum Computer Solutions is not responsible for any recommendation, > > >solicitation, offer or agreement or any information about any > > >transaction, customer account or account activity contained in this > > >communication. > > > > > >------------------------------------------------------ > > >You are currently subscribed to this ISAserver.org Discussion List as: > > >domitianx@xxxxxxxxxxxxx To unsubscribe send a blank email to > > >$subst('Email.Unsub') > > > > > >------------------------------------------------------ > > >You are currently subscribed to this ISAserver.org Discussion List as: > > >steve@xxxxxxxxxxxxxxx To unsubscribe send a blank email to > > >$subst('Email.Unsub')Disclaimer: > > >Optimum Computer Solutions is not responsible for any recommendation, > > >solicitation, offer or agreement or any information about any > > >transaction, customer account or account activity contained in this > > >communication. > > > > > >------------------------------------------------------ > > >You are currently subscribed to this ISAserver.org Discussion List as: > > >domitianx@xxxxxxxxxxxxx To unsubscribe send a blank email to > > >$subst('Email.Unsub') > > > > > >------------------------------------------------------ > > >You are currently subscribed to this ISAserver.org Discussion List as: > > >thor@xxxxxxxxxxxxxxx > > >To unsubscribe send a blank email to $subst('Email.Unsub') > > > >-----BEGIN PGP SIGNATURE----- > >Version: PGP 7.1 > > > >iQA/AwUBO+gabohsmyD15h5gEQKcPgCgsaPyCW9HVMi4G8/Z54KEjPxPcewAoOgy > >xaO9pdSKen6MlbUrYbVbtlbK > >=2MYw > >-----END PGP SIGNATURE----- > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion List as: > >esullivan@xxxxxxx > >To unsubscribe send a blank email to $subst('Email.Unsub') > > > >------------------------------------------------------ > >You are currently subscribed to this ISAserver.org Discussion List as: > >thor@xxxxxxxxxxxxxxx > >To unsubscribe send a blank email to $subst('Email.Unsub') > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1 > >iQA/AwUBO+gdOohsmyD15h5gEQJ+cQCgg/C5k33aBY0RSXTBcDBH213uddAAn0kK >USxjnZX5slCsSSAjmifQMcvP >=FxKN >-----END PGP SIGNATURE----- > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >esullivan@xxxxxxx >To unsubscribe send a blank email to $subst('Email.Unsub') > >------------------------------------------------------ >You are currently subscribed to this ISAserver.org Discussion List as: >thor@xxxxxxxxxxxxxxx >To unsubscribe send a blank email to $subst('Email.Unsub') -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBO+gg9YhsmyD15h5gEQIjYACg40BTNHSjXfGQtnvl4P/GT8HF9OAAniIZ xoAM22nx4121yea8yX5vXkO9 =qRPB -----END PGP SIGNATURE-----