rdp security + 2 factor authentication

J

Jake

I have read that RDP is considered secure without a VPN since RDP
traffic is encrypted by default.
I work for a small co. and am considering allowing some users to log
in to TS from their home computers (probably with tsweb). Server is
W2K3.
The relevant port(s) would be opened on the LAN firewall.

I have cannot police the client machines with regard to patches,
firewalls, viruses, malware etc. However, it seems to me the risks can
be minimised by using 2 factor authentication using a physical token
device issuing one-time passwords, since this would make it virtually
impossible for a malicious user or program to authenticate. There
appear to be one or two reasonably priced solutions available for
doing this.

This solution is simple, flexible and inexpensive compared to issuing
locked-down company-owned laptops with a VPN client.

Anyone have any comments for or against this strategy?

Thanks,
Jake
 
N

Nick Owen

I have read that RDP is considered secure without a VPN since RDP
traffic is encrypted by default.
Click to expand...

Here is an MS article on RDP encryption:
http://support.microsoft.com/?id=275727. Most, but not all data is
encrpyted.
I work for a small co. and am considering allowing some users to log
in to TS from their home computers (probably with tsweb). Server is
W2K3.
The relevant port(s) would be opened on the LAN firewall.

I have cannot police the client machines with regard to patches,
firewalls, viruses, malware etc. However, it seems to me the risks can
be minimised by using 2 factor authentication using a physical token
device issuing one-time passwords, since this would make it virtually
impossible for a malicious user or program to authenticate. There
appear to be one or two reasonably priced solutions available for
doing this.
Click to expand...

With the increasing number of trojans and password sniffers out there
two-factor is warranted, but then, I'm in the business, so consider
the source ;). You can judge based on the costs, the risks, the
likelihood of attack,etc.
This solution is simple, flexible and inexpensive compared to issuing
locked-down company-owned laptops with a VPN client.

Anyone have any comments for or against this strategy?
Click to expand...

Based on the MS article, I'd say it's pretty solid strategy. You
might also consider a SSL VPN appliance, in front of your terminal
server, but I don't know what the cost of those boxes are. You would
be better served spending on 2 factor, most likely, because of all the
other benefits you would get (locking down your admin accounts and
infrastructure with 2-factor, e.g,).

Nick Owen

--
Nick Owen
CEO
WiKID Systems, Inc.
http://www.wikidsystems.com
Two factor authentication, without the hassle factor
 
J

Jake

Nick, thanks for taking the time to comment.
I haven't decided yet but am getting there...
Rgds,
Jake
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

FWT Newsletter - Weekly - November 10, 2003 3

Top