Question about Terminal Services being insecure?

We worked with a client to set up a Terminal Services server running Windows 2003 to allow employees to sign in remotely to work.  This was an easy setup and worked immediately without any issues.  TS was chosen because users needed to run applications and not just view files or email.      

It was noted during a recent audit of the company that because "users authenticate remotely via TS, not a VPN" that the setup was unacceptable.  My understanding has always been that credentials are passed securely (read: encrypted) from the client.  Are the auditors correct in their assessment?  If their point is that the users should first VPN to the server and *then* sign in to TS, I could see that point - but even then, isn't that overkill given that RDP sessions pass credentials securely?    

Thanks!
james_axtonAsked:
Who is Participating?
 
ry_berkConnect With a Mentor Commented:
The concern is that you dont want to have a server that is facing directly outside where anyone or thing can get to it.

Once putting your server inside your network as opposed to facing outward, you then will need the VPN to get inside the network to connect to TS.

The server being outside of the firewall is the issue I believe. The VPN just allows you to get into the network from the outside.
0
 
ry_berkCommented:
If you are RDPing to a server from the outside it means that its outward facing and anyone could get to it. They could hack or find an account somewhere ( hypothetically ) and use that to log into your server. And have at your network from there.

Going through VPN makes it a little more difficult to get to that point.
0
 
james_axtonAuthor Commented:
ry_berk, when you say "going through VPN", you are speaking to my point about first connecting to the server via VPN and then signing in to the TS server.  Is that right?
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
ry_berkCommented:
Well, VPN is your bridge to your network.

It allows you to get on to the network and then get to the server from inside as opposed to outside.

0
 
james_axtonAuthor Commented:
ry_berk, I have one last follow-up.  I still pass credentials across the VPN during the initial connection vs passing encrypted credentials from a user's workstation to the Terminal Services server.  VPN offers stronger security - is that what their concern might be?  That a VPN's security is greater than that of TS and as such why take a chance with just TS when you could make it *more* secure using a VPN first and *then* TS?

Plus, now that I'm thinking about it, I guess I could then close off the TS to the outside world.  Is that right?
0
 
james_axtonAuthor Commented:
ry_berk, I was just about to close this when I re-read your last sentence.  The remote server is *inside* the firewall.  Traffic is directed to the remote server via a rule in the firewall that says "any traffic to this IP address, forward to this internal address.  Does that change the discussion at all?

I'm going to bump the points up since you've been so patient with me.  Thanks!
0
 
james_axtonAuthor Commented:
ry_berk, you still there?
0
 
ry_berkCommented:
Yeah still here sorry. I lost this question in my list of questions.

That may be the issue,correct. You are allowing your firewall to let people in from the outside without being forced to credentialize prior to being in your network. Thats what it sounds like anyway.
0
 
james_axtonAuthor Commented:
Okay, thanks for the follow-up!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.