RDP client secuirty - disabling mapped drives

[The Gesus]

I have a vendor who wants our users to connect to a Windows 2003 Terminal Server
(outside of our corporate control) in order to run a medical database application.

A requirement of this process is that our users (and other users in other health
care companies all over the country) have to connect their drives to this
foreign system. This raised a red flag immediately. The vendor is willing to
work out other ways of file transfer, but in the meantime this is such a severe
security hole we would like to globally disable this "feature" of the XP RDP client.

Unless I'm missing something, there appears to be no way to restrict this on the
client side. There is an AD (Computer) Group Policy for "Do not allow drive
redirection" but this appears to be a server-side policy. Since the server is
outside our control, this policy is not going to work.

Has anyone run across this and has anyone found a way to prevent users from
opening up this HUGE, GAPING security hole?

 

[Malke]

I have a vendor who wants our users to connect to a Windows 2003
Terminal Server (outside of our corporate control) in order to run a
medical database application.

A requirement of this process is that our users (and other users in
other health care companies all over the country) have to connect
their drives to this
foreign system. This raised a red flag immediately. The vendor is
willing to work out other ways of file transfer, but in the meantime
this is such a severe security hole we would like to globally disable
this "feature" of the XP RDP client.

Unless I'm missing something, there appears to be no way to restrict
this on the
client side. There is an AD (Computer) Group Policy for "Do not allow
drive
redirection" but this appears to be a server-side policy. Since the
server is outside our control, this policy is not going to work.

Has anyone run across this and has anyone found a way to prevent users
from opening up this HUGE, GAPING security hole?

I'm sure the server gurus will have more to say about this, but why not
just block the ports used by RDP in your corporate firewall?

Malke

 

[The Gesus]

I'm sure the server gurus will have more to say about this, but why not
just block the ports used by RDP in your corporate firewall?

One word: laptops.

Also, with NAT an RDP server can be on any port. Plus there are other avenues
such as OpenVPN, SSH, etc.

In fact if you use the default port you're just asking for trouble. None of our
publicly accessible Terminal Servers use 3389.

 

[Malke]

One word: laptops.

Also, with NAT an RDP server can be on any port. Plus there are other
avenues such as OpenVPN, SSH, etc.

In fact if you use the default port you're just asking for trouble.
None of our publicly accessible Terminal Servers use 3389.

Yes, that totally makes sense. If you don't get any answers from the
server guys here, you might want to post in one of the server
newsgroups such as microsoft.public.windows.server.general. Another
option would be to contact MS server tech support. I'm sure with such a
large corporation you have a service contract with them, and/or can
afford the call. My experience with MS server tech support has been
excellent.

Good luck,

Malke