Solved

Remote access options to SBS 2008 and security implications

Posted on 2011-03-25
13
479 Views
Last Modified: 2012-05-11
I am new to servers, so if my terminology and understanding is a bit below par, please excuse me.
We recently set up a server with SBS2008 and want to access it remotely,  We have been able to do this OK, but want to know the best way to go about it.  In my brief exposure to this, I always used a VPN and Remote Desktop Connection, but info included in SBS2008 suggests accessing via a web browser.  Email, Shares and other computers can be accessed this way.
Can anyone tell me whether the web based access is any less secure that the VPN access?  Which would you recommend?  
Are there any other good alternatives?  
Any other tips?
Thanks
0
Comment
Question by:Mozzie2
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 125 total points
Comment Utility
Hi Mozzie2,

Ultimately a VPN and RDP to your server would be deemed as secure. If you're staff need webmail access then you're going to need to open port 443, by default your server will have a self signed certificate, I would strongly recommend purchasing a proper third party certificate so that your remote users don't get prompted with accepting a non trusted connection and have a seamless experience.

The method of accessing your servers and machines is via remote web workplace, again if you secure your server with a third party certificate along with strong user passwords then this would be a safe, workable solution.

I hope this helps.
0
 

Author Comment

by:Mozzie2
Comment Utility
Thanks for the info.  As for the certificate, are you talking about something like what's advertised at clickssl.com?  Can you tell me, briefly and simply, what it is and how it works?
Thanks
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
The SBS 2008 has built into it the ability to issue a self signed SSL certificate.   SSL stands for Secure Socket Layer.   Whenever you type https:// in a url, you are using SSL.   This creates an encrypted trusted connection between the two computers.   This typically occurs over port 443

This article on Technet explains certificates and their creation and use in SBS 2008
http://technet.microsoft.com/en-us/library/dd353115(WS.10).aspx

Godaddy.com offers fairly inexpensive trusted certificates as well
0
 
LVL 8

Expert Comment

by:nwtechdesk
Comment Utility
It really depends on the budget for the business.  Without a certificate, Mozilla will pop up a large warning when you first try to connect.  You must accept the certificate before you can go forward.  In IE, you receive a warning stating continuing is NOT RECOMMENDED.  It is an extra click but not a show stopper.
   Prices have come down for basic SSL's.  Register.com is offering one for less than $13 /yr. http://www.register.com/promo/ssl_essential_1.rcmx?trkID=SEM171Vt3W&gclid=CNe6wfO-66cCFRx3gwod_QWubw
0
 

Author Comment

by:Mozzie2
Comment Utility
Thanks for the input.  All are useful in one way or another, and I'll grade accordingly.  But one question remains unanswered - which method of remote access is better, if any?
0
 
LVL 18

Expert Comment

by:Netflo
Comment Utility
As mentioned in my first comment, VPN would be deemed most secure as you are creating a point to point secure connection between yourself and your corporate network.

Remote access via HTTPS will be more accessible if your in a hotel or abroad as HTTPS is unlikely to be blocked where as VPN ports may be.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
The piece of the puzzle that is missing is what type of VPN are you using?   PPTP (traditional VPN) or IPSEC VPN or SSL VPN.

If you're using traditional PPTP VPN, there is no layer of encryption involved.  While it does create a dedicated connection to the corp network using the internet, it's relatively insecure.   VPN of any type also requires a lot more bandwidth than using RWW.   RWW only sends video and keystrokes accross the net, where as VPN actually sends lots of data accross VPN

IPSec VPN is more secure than PPTP, but still is not secure as any SSL based protocol.

If you want the highest level of security for remote access, you should be using an SSL connection, either SSL VPN or RWW over SSL AND a second factor of authenication such as the product from Scorpion Software called Auth Anvil made specially for use for SBS but there is an added cost to that with both hardware and the authenication tokens
0
 
LVL 8

Expert Comment

by:nwtechdesk
Comment Utility
There are some Microsoftie's who'd disagree with the idea that an SSL VPN is MORE secure than remote desktop in Windows 2008:
 the Remote Desktop client uses encrypted Hypertext Transfer Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway authenticates the user (via either a password or a smart card), verifies that the user is authorized to connect to the destination computer and then uses Remote Desktop Protocol (RDP) to complete the connection on your private network.
(quoting from biztechmagazine.com)
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
I was not suggesting that SSL VPN was more secure than Remote Desktop
Remote Desktop by itself is not secure at all.
TSWeb or RWW are secure becaus they use SSL
0
 
LVL 18

Expert Comment

by:Netflo
Comment Utility
Further to CrisHanna point, you can use SSL to secure RDP as well.
0
 
LVL 35

Expert Comment

by:Cris Hanna
Comment Utility
Exactly, RWW uses SSL with a variation of RDP and TSWeb an is secure, but if you want real security, using two form factor security is the real way to go
0
 

Author Comment

by:Mozzie2
Comment Utility
Thank you all for your responses.  As I said at the start, we're new to this, so we're just "following the bouncing ball", with nothing added.  It sounds like we'll need to pay some attention to exactly what we're actually doing (we're not really sure what it all means), but from what you've said, RWW is a better way to go because it uses less bandwidth.
Thanks again
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 125 total points
Comment Utility
RWW is a much richer experience in my opinion, since they are "virtually" sitting at the desktop they use in the office, and the speed at which things occur is essentially the same as being in the office.   There might be an  occassional stutter or lag, but nothing l like VPN with multiple connections.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now