• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

how to deal with this

R

rasczak

Lifer
customer has one server, one license, and an application that remote users wil T/S into server to access. The problem I am having is that customer also want this server to be a domain controller. Normally not an issue, but this will machine will be connected to the internet. So as most of you know, this is pretty much a security no-no. Here's the setup:

internet <-> router <-> application server/eventual DC

the router has 3389 forwarded to the application server so that remote users can T/S into the system. Not ideal, but this is how things were configured before, and I'm not that fluent in remote access just yet.

thoughts? please be as brutal as possible.

Thanks.
 
Would their application work on Linux? You could virtualize a Linux server with the application, and keep Windows covered.

Edit:
nvm. I didn't really think that through :^/

I'll leave it up for taunts and jeers though :^D
 
Last edited:
Pretty much every SBS server out there is setup similarly. As long as you're confident in the security of the server you should be fine. The router will also factor into this too, if it's some cheesy SOHO router it could be more of a security risk than the server.
 
Nothinman said:
Pretty much every SBS server out there is setup similarly. As long as you're confident in the security of the server you should be fine. The router will also factor into this too, if it's some cheesy SOHO router it could be more of a security risk than the server.
Click to expand...

Yea, that's just it. It's your typical linksys 8 port router.
 
A business with nothing but a home router between them and the Internet? Wouldn't touch it in a million years.
 
They need a real router and then it shouldn't be any problem to have a T/S setup on a DC. Real router, and keep windows patched and most likely you will be just fine.
 
Nothinman said:
Sadly most places aren't willing to shell out for something like an ASA.
Click to expand...

There are plenty of routers in between a $40 Linksys and an ASA. A Cisco 1800 series for example.

Explain to the customer that putting a domain controller on the Internet is a terrible idea, and it will cost money to do it right. If they insist on doing it cheaply, get them to sign a waiver releasing you of all responsibility, set it up for them and be on your way to new customers. If they won't sign it, be on your way. Maybe that'll make them think twice about how ridiculous what they're asking you to do is.
 
Jeff7181 said:
There are plenty of routers in between a $40 Linksys and an ASA. A Cisco 1800 series for example.

Explain to the customer that putting a domain controller on the Internet is a terrible idea, and it will cost money to do it right. If they insist on doing it cheaply, get them to sign a waiver releasing you of all responsibility, set it up for them and be on your way to new customers. If they won't sign it, be on your way. Maybe that'll make them think twice about how ridiculous what they're asking you to do is.
Click to expand...

But an 1800 series router isn't a firewall, it's a router.
 
Phynaz said:
A business with nothing but a home router between them and the Internet? Wouldn't touch it in a million years.
Click to expand...

To be fair, it's a very small business, and he understands he is far behind the times tech wise. I agree with the sentiment that the DC should be behind a firewall so I will push for the client to get a firewall. Any suggestions? He's reasonable so I am sure I can get it through to him if i have some reasonable options to choose from.

I have some experience setting up a juniper appliance

http://www.juniper.net/in/en/products-services/security/ssg-series/ssg5/

are there any other suggestion you guys could make?
 
If cost is a concern, and it appears to be, I'd forget about the firewall and get a real router like the 1800 I suggested. A properly configured 1800 ISA router is going to be much more secure than a Linksys, and not as expensive as a dedicated firewall.

If you're still concerned about security, just have the 1800 log info about every connection that enters the LAN so you can review the logs and even set up a script to search for specific entries that would indicate a security risk and fire off an email to who ever needs to know.

*EDIT* Oh, and despite the comment before that the 1800 is a router and not a firewall, it's true that it's not a dedicated firewall. However, the security features available in IOS are more than adequate for a small business that's currently using a Linksys router.
 
Last edited:
Jeff7181 said:
If cost is a concern, and it appears to be, I'd forget about the firewall and get a real router like the 1800 I suggested. A properly configured 1800 ISA router is going to be much more secure than a Linksys, and not as expensive as a dedicated firewall.

If you're still concerned about security, just have the 1800 log info about every connection that enters the LAN so you can review the logs and even set up a script to search for specific entries that would indicate a security risk and fire off an email to who ever needs to know.

*EDIT* Oh, and despite the comment before that the 1800 is a router and not a firewall, it's true that it's not a dedicated firewall. However, the security features available in IOS are more than adequate for a small business that's currently using a Linksys router.
Click to expand...

Actually I'm not sure about that, I know the "firewall feature set" or whatever they're calling it now allows for somewhat similar functionality but Cisco routers are allow by default, which is bad and makes it very easy to unintentionally open something up.
 
Nothinman said:
Actually I'm not sure about that, I know the "firewall feature set" or whatever they're calling it now allows for somewhat similar functionality but Cisco routers are allow by default, which is bad and makes it very easy to unintentionally open something up.
Click to expand...

Whether it's an ASA device or an ISA router, some IOS knowledge is required to configure.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top