rdp security + 2 factor authentication

  • Thread starter Thread starter Jake
  • Start date Start date
J

Jake

I have read that RDP is considered secure without a VPN since RDP
traffic is encrypted by default.
I work for a small co. and am considering allowing some users to log
in to TS from their home computers (probably with tsweb). Server is
W2K3.
The relevant port(s) would be opened on the LAN firewall.

I have cannot police the client machines with regard to patches,
firewalls, viruses, malware etc. However, it seems to me the risks can
be minimised by using 2 factor authentication using a physical token
device issuing one-time passwords, since this would make it virtually
impossible for a malicious user or program to authenticate. There
appear to be one or two reasonably priced solutions available for
doing this.

This solution is simple, flexible and inexpensive compared to issuing
locked-down company-owned laptops with a VPN client.

Anyone have any comments for or against this strategy?

Thanks,
Jake
 
I have read that RDP is considered secure without a VPN since RDP
traffic is encrypted by default.

Here is an MS article on RDP encryption:
http://support.microsoft.com/?id=275727. Most, but not all data is
encrpyted.
I work for a small co. and am considering allowing some users to log
in to TS from their home computers (probably with tsweb). Server is
W2K3.
The relevant port(s) would be opened on the LAN firewall.

I have cannot police the client machines with regard to patches,
firewalls, viruses, malware etc. However, it seems to me the risks can
be minimised by using 2 factor authentication using a physical token
device issuing one-time passwords, since this would make it virtually
impossible for a malicious user or program to authenticate. There
appear to be one or two reasonably priced solutions available for
doing this.

With the increasing number of trojans and password sniffers out there
two-factor is warranted, but then, I'm in the business, so consider
the source ;). You can judge based on the costs, the risks, the
likelihood of attack,etc.
This solution is simple, flexible and inexpensive compared to issuing
locked-down company-owned laptops with a VPN client.

Anyone have any comments for or against this strategy?

Based on the MS article, I'd say it's pretty solid strategy. You
might also consider a SSL VPN appliance, in front of your terminal
server, but I don't know what the cost of those boxes are. You would
be better served spending on 2 factor, most likely, because of all the
other benefits you would get (locking down your admin accounts and
infrastructure with 2-factor, e.g,).

Nick Owen

--
Nick Owen
CEO
WiKID Systems, Inc.
http://www.wikidsystems.com
Two factor authentication, without the hassle factor
 
Nick, thanks for taking the time to comment.
I haven't decided yet but am getting there...
Rgds,
Jake
 
Back
Top