Question about Terminal Services being insecure?

We worked with a client to set up a Terminal Services server running Windows 2003 to allow employees to sign in remotely to work.  This was an easy setup and worked immediately without any issues.  TS was chosen because users needed to run applications and not just view files or email.      

It was noted during a recent audit of the company that because "users authenticate remotely via TS, not a VPN" that the setup was unacceptable.  My understanding has always been that credentials are passed securely (read: encrypted) from the client.  Are the auditors correct in their assessment?  If their point is that the users should first VPN to the server and *then* sign in to TS, I could see that point - but even then, isn't that overkill given that RDP sessions pass credentials securely?    

Thanks!
james_axtonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ry_berkCommented:
If you are RDPing to a server from the outside it means that its outward facing and anyone could get to it. They could hack or find an account somewhere ( hypothetically ) and use that to log into your server. And have at your network from there.

Going through VPN makes it a little more difficult to get to that point.
0
james_axtonAuthor Commented:
ry_berk, when you say "going through VPN", you are speaking to my point about first connecting to the server via VPN and then signing in to the TS server.  Is that right?
0
ry_berkCommented:
Well, VPN is your bridge to your network.

It allows you to get on to the network and then get to the server from inside as opposed to outside.

0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

james_axtonAuthor Commented:
ry_berk, I have one last follow-up.  I still pass credentials across the VPN during the initial connection vs passing encrypted credentials from a user's workstation to the Terminal Services server.  VPN offers stronger security - is that what their concern might be?  That a VPN's security is greater than that of TS and as such why take a chance with just TS when you could make it *more* secure using a VPN first and *then* TS?

Plus, now that I'm thinking about it, I guess I could then close off the TS to the outside world.  Is that right?
0
ry_berkCommented:
The concern is that you dont want to have a server that is facing directly outside where anyone or thing can get to it.

Once putting your server inside your network as opposed to facing outward, you then will need the VPN to get inside the network to connect to TS.

The server being outside of the firewall is the issue I believe. The VPN just allows you to get into the network from the outside.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
james_axtonAuthor Commented:
ry_berk, I was just about to close this when I re-read your last sentence.  The remote server is *inside* the firewall.  Traffic is directed to the remote server via a rule in the firewall that says "any traffic to this IP address, forward to this internal address.  Does that change the discussion at all?

I'm going to bump the points up since you've been so patient with me.  Thanks!
0
james_axtonAuthor Commented:
ry_berk, you still there?
0
ry_berkCommented:
Yeah still here sorry. I lost this question in my list of questions.

That may be the issue,correct. You are allowing your firewall to let people in from the outside without being forced to credentialize prior to being in your network. Thats what it sounds like anyway.
0
james_axtonAuthor Commented:
Okay, thanks for the follow-up!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.