Re: Terminal services

["Rodrigo Blanco" <rodrigo.blanco.r () gmail com>]

Hi Fernando,

I would say there are two possibilities: either the application you
wnat to make available for your end users is web, or not
(client-server).

If it is a web aplication, the VPN SSL would be a good solution (for
enhanced security, you could think of providing your users with OTP
tokens, so that even if in the non-controlled PCs they are using there
was some kind of malware / keylogger, no falw is introduced by
enabling this access). VPN SSL is especially convenient since it
provide virtually ubiquitous access (it just requires a browser, no
need to install any software client), and normally remains transparent
for the internal application (behaviour similar to a reverse proxy).

If it is not a web application, you can still publish it through VPN
SSL. If the software client of the application can be installed on the
PCs, you can tunnel the trafiic through port forwarding (usually as an
applet or ActiveX from the VPN SSL). Apart from requiring the ability
to install software on the public PC (which is usually not the case),
this may also pose security concerns about pieces of information
remaining on the non-controlled PC as cache / temp files / RAM
memory... The other option is to publish the application in a
thin-client architecture (terminal server, citrix...), and enable
access through the VPN SSL through a port forwarder. The advantage of
this approach is that neither does the application need to be
installed on the public PC, nor does it run on it, so no sensitive
information can be expected to remain on it after the session has been
closed.

In this second option, AD GPO restrictions can and should be applied
to mitigate the risk according to your business.

IPSec VPN (and VPN SSL network extension options), which provide the
PC connecting a virtual IP adapter in the internal network, may be
more risk since there is a direct connection between the Internet and
the PC and between the same PC and the internal network.

Hope this information is useful to you,
Rodrigo.



2008/9/30  <velzaf () hotmail com>:
> Hi guys
>
> I need an opinión from you related to terminal services.  I need to provide a solution to allow some external clients 
> to connect via Internet to a specific application.  Those clients will use a laptop that don't belong to the 
> enterprise, in fact they are not secure clients and we don't have any contact with the computers they connect with 
> just to configure the connection.
>
> I have been thinking about the use of VPN, but I am not sure because their insecurity, I think TLS could be an option 
> but I have not experience implementing that sort of solution, and I worry about their using several tools like 
> tsgrinder or something like that.  I know I need to restrict their options to the maximum maybe using Active 
> directory.
>
>
> The server is Windows Server 2003
> The clients could be xp or Vista.
>
> I would like to know your opinion
>
> Thanks in advance.
>
> Atte,
>
> Fernando Velazco.