mhentrich
asked on
What's more secure: ThinRDP or regular RDP?
Experts:
I'm going to show my igorance of good information security here.
Let me lay out the scenario: say we have a Windows 2008 R2 terminal server which about 20 folks access. We want it to be accessible from outside the corporate network, but we don't want to use VPN. We also can't make use of a TS/RDS Gateway (I have my reasons).
So, we're left with a couple options - use a program like ThinRDP for RDS (http://www.thinvnc.com/thinrdp/html5-rdp.html) to make RD sessions available over an HTML 5 capable browser, or simply setup NAT between the terminal server and the outside world and open up RDP on the firewall for connections to that IP.
Either way, we're stuck opening ports on the firewall and NATing traffic from one of our public IPs to our internal IP. The difference is which port is being opened (any port for ThinRDP, 3389 for RDP) and which application is doing the listening (ThinRDP server or Win2K8). I think ThinRDP has one added advantage over the alternative, though: we can setup a ThinRDP 'gateway' of sorts in our DMZ that accepts connections and passes them through the firewall to the corporate network, wheras if I were to create a direct NAT to the terminal server, it'd be introducing a public IP directly into the corporate network.
Thoughts? I need to make the TS publicly accessible (no VPN and no RDS gateway) but I want to keep some security in place.
Thanks!
Matt
I'm going to show my igorance of good information security here.
Let me lay out the scenario: say we have a Windows 2008 R2 terminal server which about 20 folks access. We want it to be accessible from outside the corporate network, but we don't want to use VPN. We also can't make use of a TS/RDS Gateway (I have my reasons).
So, we're left with a couple options - use a program like ThinRDP for RDS (http://www.thinvnc.com/thinrdp/html5-rdp.html) to make RD sessions available over an HTML 5 capable browser, or simply setup NAT between the terminal server and the outside world and open up RDP on the firewall for connections to that IP.
Either way, we're stuck opening ports on the firewall and NATing traffic from one of our public IPs to our internal IP. The difference is which port is being opened (any port for ThinRDP, 3389 for RDP) and which application is doing the listening (ThinRDP server or Win2K8). I think ThinRDP has one added advantage over the alternative, though: we can setup a ThinRDP 'gateway' of sorts in our DMZ that accepts connections and passes them through the firewall to the corporate network, wheras if I were to create a direct NAT to the terminal server, it'd be introducing a public IP directly into the corporate network.
Thoughts? I need to make the TS publicly accessible (no VPN and no RDS gateway) but I want to keep some security in place.
Thanks!
Matt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Closest thing to an answer!
ASKER
I forgot, I also want to throw in the third option of using regular NAT to the terminal server but making use of two factor authentication via phone factor:
http://www.phonefactor.com/solutions/terminal-services-authentication
Maybe that is the best option?
Thanks!
Matt