Opening Port 3389

The firewall at my work is a Cisco PIX 515E with DMZ.

On the DMZ I am going to sit a 2k server with IIS as a web server.  Inside
my LAN I have my normal 2k domain servers and also a 2k server acting as
Terminal Services server.

If I open port 3389 on the PIX in theory my users should be able to fully
use Terminal Services inside my LAN from the Internet.

Does anyone see any security risks with opening port 3389 and only 3389 on
the PIX?

Thanks

Keith

Be careful how you open it.

You may want to have another network card on your 2k server configured 
to allow routing to your internal network.  You could then run that 
network connection through a firewall making sure that only authorized 
users were connecting to the correct services bi-directionally.

If you are unable to put another NIC and firewall in place, and you have 
to expose that service on that machine, you should make sure that the 
service is only available to people on your internal network.  You may 
even want to enforce rules only allowing certain machines to connect.

Remember the submarine approach.  If one compartment is compromised, you 
don't want to bring the whole sub down.  Make sure you have multiple 
levels of security,

Craig.




-- 
Visit gap.mainstream.net for a FREE SECURITY GAP ANALYSIS.

Be careful how you open it.

You may want to have another network card on your 2k server configured 
to allow routing to your internal network.  You could then run that 
network connection through a firewall making sure that only authorized 
users were connecting to the correct services bi-directionally.

If you are unable to put another NIC and firewall in place, and you have 
to expose that service on that machine, you should make sure that the 
service is only available to people on your internal network.  You may 
even want to enforce rules only allowing certain machines to connect.

Remember the submarine approach.  If one compartment is compromised, you 
don't want to bring the whole sub down.  Make sure you have multiple 
levels of security,

Craig.




-- 
Visit gap.mainstream.net for a FREE SECURITY GAP ANALYSIS.

I can put a second NIC in the server very quickly but another firewall would
be a hard stretch - my company is unlikely to spend more money after the
amount I just spent overhauling the infrastructure.

Would a software firewall be suitable?  And if so, where would be the best
point to install it and what rules should I use?

The site this TS server is on has two servers on it - the 2k DC
(192.168.0.1) and a 2k TS Server that is also a backup DC (192.168.0.2).

Just to throw something else is.  Is it possible to tell the PIX to allow
port 3389 traffic onto the LAN but only to 192.168.0.2 (the TS Server)?  I
assume it is but would this help security?  The only thing on the LAN
currently allowed to talk to the Internet through the PIX is the DC
(192.168.0.1).  This would (as far as I can see) allow the DC to continue as
is and also allow the 3389 traffic onto the LAN but only to the TS server
(192.168.0.2).  But I am not an expert by any means and would like some help
and suggestions please.

Thanks






Inside
fully
on

On Fri, 6 Feb 2004 20:12:56 -0000, "Keith" <@.> spoketh


Way too much irrelevant information. Since your DMZ servers and LAN
domain servers doesn't play into this, leave it out. If all you want is
terminal server access for your crew on the outside of the firewall, use
VPN. Then only authorized users will have access to your terminal
server...



Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.

We have VPN already but staff are mostly too incompetent to use it.

A much simpler solution is if they can access Terminal Services over the
internet.  They get a full-screen desktop and it all looks just like it does
when they are in the office - much neater for those who are useless.

TS over the net is a must for my users - I don't see another way around it.





Inside
on

Force them to learn.
 

And a much more insecure solution. If you can risk offering RDP Service
without any other security mechanism than passwords to everybody, well live
with the risk and hope that you have no clients/customers who just a little
are more concerned about security than you, they might do business with
someone alse in the future. 


Educated users.

Wolfgang
-- 
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

On Fri, 6 Feb 2004 22:34:31 -0000, "Keith" <@.> spoketh


There's only two ways of doing it: 

1) The secure way: VPN, or
2) The insecure way: port forwarding. 

You might be able to restrict the access somewhat if you know the IP
addresses of those useless people who need to access the TS. However,
since they'll most likely have dynamic IP address, I foresee a
management nightmare. 

Last time I dealt with VPN client software, I simply had to start up the
VPN client software and type in my username and password. Sounds like
something even an MBA should be able to do...


Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.

I have two problems with using VPN Client software:

1 - most of my users are complete novices who struggle when in the office -
educating them to use something more complicated than a web browser is
difficult.

2 - some of them will access from machines where it would be near impossible
to install VPN Client software - I cannot access the terminals myself and
the users would not be competent enough to do so






does
it.

Adminstrative problems must not gain rule over security. 
 

Uneducated users are a severe security risk. Educate them.

Wolfgang
-- 
A foreign body and a foreign mind
never welcome in the land of the blind.
from 'Not one of us', (c) 1980 Peter Gabriel

Remember that you can go into Active directory users and computers and
disable TS for all but the accounts that need it. That helps some. Also
depending just how dumb these people are you could set up very strong
passwords that they can't change.

I tried this once at a client site so my boss could get access but he forgot
the strong password and got locked out. Extremely Dilbert.
-- 
Jim (for E-mail replace invalid with net)
"Remember, an amateur built the Ark; professionals built the Titanic."

On Mon, 09 Feb 2004 02:30:45 GMT, Jim Nugent spoketh


If the users are too retarded to learn how to use a VPN client (and
install it with written proven instructions), then there is no chance
that they'll be able to have passwords stronger than "auntjemima" or
"beer".

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.

Well I made a management decision -{*filter*}'em!

They can have VPN and if they don't like it or can't figure it out, then
that's their problem.

I'm not prepared to open up the slight risk that exists if I put the TS on
the public internet.

One thing that still concerns me even with VPN is that unless I change the
passwords for VPN every time a user leaves the company then I will have
people out there with a back door into my LAN - they won't have access on
the LAN but will have a back door.  I need to think about this now because
there has to be a way to avoid having to do this if someone leaves.  Short
of going to their home and uninstalling the client I'm not sure what that is
yet though.

> One thing that still concerns me even with VPN is that unless I change the
is

?? Huh
setup a seperate VPN login for each user, or use RADIUS. even NT4 included
this...Your VPN server/firewall should be able to use RADIUS auth and will
only allow users in that have 'dialin' set.. The bonus is the dorks out
there only have to remember one password.

Better still use some of the vpn software that's automatic, like CISCO VPN
client or Netscreen client.
Once installed the user won't need to know it's there, that just fire up TS
client, and hit connect. The act of trying to send IP packets to the
internal TS server fires up the VPN. You may need to up the TS client
connect timeout though....


Another point is do these users have firewall, virus and system lockdown
equivelant or better that the company systems, because as soon as they fire
up the VPN they will provide a nice 'gateway' into your network for a hacker
and virus to spread..


Remember a network is only as good as it's weakest link.!!!!


David