Terminal Services Security Issues 2

[indigojo]

We are being advised that there are some serious security issues using Terminal Service to connect to a WIN2k server. We have been told the only access to one of our new European servers in a data centre is by using Symantec Raptor. We have been managing a large site for 2 years using TS with no security issues so this is new to us, and RAPTOR so far is proving impossible to implement with regard to CISCO routers we have to pass through, and home ADSL routers etc.
Can someone veryify that there is in fact a security issue with TS and point me to some documentation.

 

[OUCATS]

Some questions,
1.) The group you are trying to connect to (European), can they provide some documentation why TS is a security issue??
2.) Do they want you to use the Raptor so that you can create a VPN tunnel to their Raptors??
3.) I'm trying to understand the network setup(general). Is it: EuropeanServer -- Raptor -- Router -- INTERNET -- Router -- Raptor -- YourServers/Network

I'm just trying to see if there is another way around this.

 

[MitchCumstein]

I stumbled upon this yesterday. Perhaps it can help:

NSA Guide to Securing Terminal Services

http://nsa2.www.conxion.com/win2k/guides/w2k-19.pdf

 

[indigojo]

Pasted below is an extract from an email from the Data Centre detailing why they will not open up Windows Terminal Services directly.
----------------
"I have spoken to a number of people within Datacentre regarding this and they state they cannot allow WTS without a VPN to enter our datacentre.

Having a dedicated firewall will still pose a threat because hackers will run some 'sniffer' software looking for vulnerabilities in networks. Once WTS is detected, the hackers will flood the router, saturate our bandwidth,
and possibly bring down or at least slow right down the traffic to and from our customers' sites. Furthermore, they will inevitably intrude your site and destroy any contents or deface the pages."
----------------

The Scenario is Developers (Australia) workstations behind a CISCO router, they are having problems getting through.

Site Adminstrators (Australia) behind various ADSL routers, and OS's

Server (Europe) in large datacentre.

We run and manage a large site at the moment by using WTS, and for a period of 2 years without any security issues. This is a new franchised site that we will be managing and to my mind would not be classed as a hackers nirvana anyway. So are we with the first site being extremely careless with regards to our security or is this case of a datacentre being difficult. To my mind it's our machine in their centre and it will host one site, so I don't see what bearing this has on any other machines in the datacentre anyway. It gets hacked then it's our problem and shouldnt affect any other machines, should it?

 

[OUCATS]

We have a similar setup to what they are requesting that you have. We have a hardware VPN setup between our main office and our home employees. They then use TS to allow the users to connect to our network and it's resources. I first thought it was overkill but TS security isn't the greatest/highest. I don't know why you couldn't create a VPN between your CISCO firewall (as long as it has VPN capability) and their Raptor firewalls and then just run TS through the VPN tunnel. If this idea might work, you may want to post your question on a Cisco forum to see if anyone has had a similar experience.