Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Remote access options to SBS 2008 and security implications

Posted on 2011-03-25
13
Medium Priority
?
491 Views
Last Modified: 2012-05-11
I am new to servers, so if my terminology and understanding is a bit below par, please excuse me.
We recently set up a server with SBS2008 and want to access it remotely,  We have been able to do this OK, but want to know the best way to go about it.  In my brief exposure to this, I always used a VPN and Remote Desktop Connection, but info included in SBS2008 suggests accessing via a web browser.  Email, Shares and other computers can be accessed this way.
Can anyone tell me whether the web based access is any less secure that the VPN access?  Which would you recommend?  
Are there any other good alternatives?  
Any other tips?
Thanks
0
Comment
Question by:Mozzie2
  • 5
  • 3
  • 3
  • +1
13 Comments
 
LVL 18

Accepted Solution

by:
Netflo earned 500 total points
ID: 35220366
Hi Mozzie2,

Ultimately a VPN and RDP to your server would be deemed as secure. If you're staff need webmail access then you're going to need to open port 443, by default your server will have a self signed certificate, I would strongly recommend purchasing a proper third party certificate so that your remote users don't get prompted with accepting a non trusted connection and have a seamless experience.

The method of accessing your servers and machines is via remote web workplace, again if you secure your server with a third party certificate along with strong user passwords then this would be a safe, workable solution.

I hope this helps.
0
 

Author Comment

by:Mozzie2
ID: 35220605
Thanks for the info.  As for the certificate, are you talking about something like what's advertised at clickssl.com?  Can you tell me, briefly and simply, what it is and how it works?
Thanks
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35220747
The SBS 2008 has built into it the ability to issue a self signed SSL certificate.   SSL stands for Secure Socket Layer.   Whenever you type https:// in a url, you are using SSL.   This creates an encrypted trusted connection between the two computers.   This typically occurs over port 443

This article on Technet explains certificates and their creation and use in SBS 2008
http://technet.microsoft.com/en-us/library/dd353115(WS.10).aspx

Godaddy.com offers fairly inexpensive trusted certificates as well
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 8

Expert Comment

by:nwtechdesk
ID: 35220833
It really depends on the budget for the business.  Without a certificate, Mozilla will pop up a large warning when you first try to connect.  You must accept the certificate before you can go forward.  In IE, you receive a warning stating continuing is NOT RECOMMENDED.  It is an extra click but not a show stopper.
   Prices have come down for basic SSL's.  Register.com is offering one for less than $13 /yr. http://www.register.com/promo/ssl_essential_1.rcmx?trkID=SEM171Vt3W&gclid=CNe6wfO-66cCFRx3gwod_QWubw
0
 

Author Comment

by:Mozzie2
ID: 35221473
Thanks for the input.  All are useful in one way or another, and I'll grade accordingly.  But one question remains unanswered - which method of remote access is better, if any?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35221794
As mentioned in my first comment, VPN would be deemed most secure as you are creating a point to point secure connection between yourself and your corporate network.

Remote access via HTTPS will be more accessible if your in a hotel or abroad as HTTPS is unlikely to be blocked where as VPN ports may be.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35222330
The piece of the puzzle that is missing is what type of VPN are you using?   PPTP (traditional VPN) or IPSEC VPN or SSL VPN.

If you're using traditional PPTP VPN, there is no layer of encryption involved.  While it does create a dedicated connection to the corp network using the internet, it's relatively insecure.   VPN of any type also requires a lot more bandwidth than using RWW.   RWW only sends video and keystrokes accross the net, where as VPN actually sends lots of data accross VPN

IPSec VPN is more secure than PPTP, but still is not secure as any SSL based protocol.

If you want the highest level of security for remote access, you should be using an SSL connection, either SSL VPN or RWW over SSL AND a second factor of authenication such as the product from Scorpion Software called Auth Anvil made specially for use for SBS but there is an added cost to that with both hardware and the authenication tokens
0
 
LVL 8

Expert Comment

by:nwtechdesk
ID: 35222963
There are some Microsoftie's who'd disagree with the idea that an SSL VPN is MORE secure than remote desktop in Windows 2008:
 the Remote Desktop client uses encrypted Hypertext Transfer Protocol over Secure Sockets Layer to communicate with the TS Gateway. Because HTTPS is primarily used to browse the Web, almost all firewalls allow it. The TS Gateway authenticates the user (via either a password or a smart card), verifies that the user is authorized to connect to the destination computer and then uses Remote Desktop Protocol (RDP) to complete the connection on your private network.
(quoting from biztechmagazine.com)
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35223091
I was not suggesting that SSL VPN was more secure than Remote Desktop
Remote Desktop by itself is not secure at all.
TSWeb or RWW are secure becaus they use SSL
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35223297
Further to CrisHanna point, you can use SSL to secure RDP as well.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 35223407
Exactly, RWW uses SSL with a variation of RDP and TSWeb an is secure, but if you want real security, using two form factor security is the real way to go
0
 

Author Comment

by:Mozzie2
ID: 35224130
Thank you all for your responses.  As I said at the start, we're new to this, so we're just "following the bouncing ball", with nothing added.  It sounds like we'll need to pay some attention to exactly what we're actually doing (we're not really sure what it all means), but from what you've said, RWW is a better way to go because it uses less bandwidth.
Thanks again
0
 
LVL 35

Assisted Solution

by:Cris Hanna
Cris Hanna earned 500 total points
ID: 35224142
RWW is a much richer experience in my opinion, since they are "virtually" sitting at the desktop they use in the office, and the speed at which things occur is essentially the same as being in the office.   There might be an  occassional stutter or lag, but nothing l like VPN with multiple connections.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question