TS access and Virus issue

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have a vendor that wants to have access to an application on my server, I
was thinking about using TS, but I have concerns over viruses coming from the
vendors network. This is a financial database that the vendor would be
connecting to and he would not have access to any other areas of the server.
Is my concern about viruses valid, or do I have nothing to worry about? I am
also worried about overall security on the vendor site, if I give him access
to my server and he has security breach then my security is breached also..
right?. Hope someone can help me by shedding light on these issues
 
Bjarni said:
I have a vendor that wants to have access to an application on my server, I
was thinking about using TS, but I have concerns over viruses coming from the
vendors network. This is a financial database that the vendor would be
connecting to and he would not have access to any other areas of the server.
Is my concern about viruses valid, or do I have nothing to worry about? I am
also worried about overall security on the vendor site, if I give him access
to my server and he has security breach then my security is breached also..
right?. Hope someone can help me by shedding light on these issues
Click to expand...

I don't believe terminal services transfers anything other than screen
shots, the location of your mouse, and what you type on your keyboard. If
you are thinking about the fact that you have to open up your firewall to
the internet for the TS specific ports then you really only have to worry if
you aren't up to date with all the patches. You do have a firewall don't
you?

Joe
 
Joe, thanks for your reply,

I do have a firewall and and all my servers are upto date with all patches.
What about drive mappings, doesn't open up the possibility of viruses? I have
worked with TS and remote users in the past so I know about screen draws etc.
but never had to worry about this because I controled both sides, which in
this case I do not.

I have multiple servers, over 400 users and I don't feel comfortable giving
an outside vendor access like this, so I guess I am trying to come up with
something other then my concerns about TS and it's security issues from the
outside.
TIA for any follow-ups
 
Hi,

If you are really concerned about this, prohibit the mapping of local
drivers over terminal services. This will prevent them from mapping their
local drives to your server (but it may limit their work). This way all they
can do is transfer files on the network where the terminal server is.

Terminal session itself is encrypted (I think Windows 2000 use 56 bit
encryption while Windows 2003 use 128 bit -- also depends on the client that
they use...). Assign your customer strong - hard to guess password.
Personally I limit access to terminal servers only to customers IP addresses
not the whole internet (I don't want every "kid" on the internet trying out
the passwords on logon screen)... Another option would be to first connect
to VPN server and only then the vendor is allowed to connect to the TS (and
only TS over TCP 3389).

Note, if you have TS located on LAN with other clients there is nothing
limiting your vendor to connect to other computers on LAN from this TS
server...

Mike
 
If you can give that user TS access without being a local administrator, you
can minimize the risk. Otherwise is someone gets control of his computer
they may get control of your computer. If you can do such for that user,
make sure that you use complex passwords on your computer and enable an
account lockout policy that has a threshold of no less than ten bad
attempts. As far a viruses , you can greatly reduce the risk if you disable
clipboard and other mappings in the RDP properties for client settings
which would however affect all users connecting via TS. You can configure
RDP properties in Terminal Services Configuration/connections. I would also
make sure that the built in administrator account is not allowed to logon
through TS in it's account properties and consider giving the user logon
time restrictions if possible to minimize risk of someone trying to gain
access at times when there is no reason to allow that user access such as
nights and weekends perhaps or simply dictate to him the hours that he can
access the computer via TS. --- Steve
 
Back
Top