Yeah, but is that his job or concern?
If he's worried about being caught surfing porn, my guess is not.
VPN porn accident. Nauga's fault.
- Thread starter SixPapaCharlie
- Start date
Yeah, but is that his job or concern?
If he's worried about being caught surfing porn, my guess is not.
Yeah, but is that his job or concern?
Geez......
Come on guys.. It is 6PC / Bryan..... Of COURSE he is surfing porn... That is a no brainer...
.......
Even funnier juxtiposed against Jesse's reply
I read Jesse's post as sarcastic, didn't you?
Heftiger
Pre-takeoff checklist
- Joined
- Nov 13, 2013
- Messages
- 335
- Display Name
Display name:
Heftiger
This might have already been said. But the question is whether or not you are using a split-tunnel VPN. A split-tunnel VPN will only send traffic destined to your work network through the VPN. A full-tunnel VPN will route everything. For work PC's I always set them up as full-tunnel. If I have a user off-site doing work on Starbucks wifi, I want their traffic encrypted and filtered by MY firewall.
You can determine your setup in the VPN properties.
You can determine your setup in the VPN properties.
Heftiger
Pre-takeoff checklist
- Joined
- Nov 13, 2013
- Messages
- 335
- Display Name
Display name:
Heftiger
This configuration is actually common and accepted as industry standard when using a Windows Remote Desktop Gateway Server provided that server is in the DMZ. It's a fine line to walk ensuring network security while also keeping it simple enough for users to actually use.
http://windows.microsoft.com/en-us/windows7/what-is-a-remote-desktop-gateway-server
jesse
Touchdown! Greaser!
Not sure I would listen to Microsoft's advice on that. Personally, no way in hell I would expose RDP to the internet as a whole, unless my goal was to get the machine hacked.
Expose as little as possible, even exposing SSH on a Linux box is something I started to be uncomfortable with about ten years ago.
Heftiger
Pre-takeoff checklist
- Joined
- Nov 13, 2013
- Messages
- 335
- Display Name
Display name:
Heftiger
You're not opening RDP to the Internet. You are using AD credentials (no different than VPN) to authenticate the user, and then serve up the RDP service. If you can't authenticate with the server, you never see the devices on the other side. It's a great solution for companies who need RDP and not VPN. Most companies use VPN for just RDP, and that's a waste.
Last edited:
jesse
Touchdown! Greaser!
You're still exposing that AD crap to the internet. No thanks. I wouldn't even dare expose IIS to the internet. If I had to use IIS I would front it with linux boxes running nginx as a proxy.
Lindberg
Final Approach
What do you mean by "exposing" it to the Internet? In a proper configuration, it would be in a DMZ surrounded by IDS. So only the necessary ports are getting to the box, after having run through your FW. And when I was responsible for such things, the internal interfaces would come into a separate DMZ, so the "clean" traffic would have to pass through another FW and IDS. In that configuration, the DMZ box is really more of an application proxy and front-end. And of course it is stripped, locked down, and running HIDS.
I have't had my hands dirty with this stuff in a few years, so I am sure best practices have changed some.
jesse
Touchdown! Greaser!
You can shove things through an IDS and firewall all you want but you still have a windows service that can be accessed via the internet. Not something I'm comfortable with...but what do I know..
Old Geek
Pattern Altitude
The equivalent of NASA forms at work would actually be a pretty good thing.
Gerhardt
En-Route
- Joined
- Aug 20, 2006
- Messages
- 4,534
- Display Name
Display name:
Gerhardt
20 years ago I was giving a presentation concerning new software we'd installed. The gist of it was to track IT problems, and being new to the dept. and young and gullible I said pretty much what my boss told me to say.
"The object is to identify the problems we are encountering. We will not be looking to see whose fault it was and point fingers." A lot of guffawing and snickering. Still, I believed.
Fast-forward a month and I'd never believed I would see that it was being used as "evidence" of fault.
So I'm not really sold on self-reporting at work to avoid repercussions. Around here at least they'd be collected and stored in your HR file.
schmookeeg
En-Route
The equivalent to the workplace NASA form is to become indispensable.
Lindberg
Final Approach
I don't have any idea what you know.
Shall we start listing the vulnerabilities in UNIX services over the years? I've been a CISSP for more than 15 years, hold multiple vendor and third-party security certifications, and designed network architectures for fortune 500 companies in a previous life. But none of that means anything, and like I said, it isn't what I do anymore.
On the Internet, no one knows you're a dog, or cares.
jesse
Touchdown! Greaser!
Plenty of vulnerabilities in Unix services over the years - although it's usually an unfair comparison. Most Unix/*Nix distributions ship with thousands of more software packages and services than Windows Server does. Microsoft manages an impressive number of vulnerabilities for the very limited capability their Server product actually contains.I don't have any idea what you know.
I've been a CISSP for more than 15 years, hold multiple vendor and third-party security certifications, and designed network architectures for fortune 500 companies in a previous life. But none of that means anything, and like I said, it isn't what I do anymore.
On the Internet, no one knows you're a dog, or cares.
Question about what you wrote:
I'm no expert on the Microsoft stack. Please point me to some information that would indicate how you would permit someone to log into RDP using AD credentials over the internet without exposing RDP to the internet.Lindberg said:
denverpilot
Tied Down
Technically it's possible via a built in proxy server on the MSFT stuff, but it really doesn't add any significant security. What it does do is wrap the connection with an encrypted tunnel. Not that very many encryption protocols are really holding up all that well these days when targeted for real audits.
No offense to the local PoA CISSP, but I know at least two who have been CISSPs that long, who couldn't secure anything if they tried. Nether had ever worked as an admin and only knew theory. A significant problem in the Security biz these days. Take a test, you're a security engineer. CISSP is a large amount of data but it's still possible to get through it without much real experience. It has a work experience requirement in security related work, but there's all sorts of ways to cheap out on those.
I've seen desktop support people who did nothing more than load virus scanners for desktop security for a living, call that the experience necessary. Maybe it's changed since then, but I doubt it.
SANS certs and using students' work as their own knowledge library, sure paid for a nice house on Maui for Northcutt though, that's for sure.
jesse
Touchdown! Greaser!
I've passed every CISSP practice test I've ever taken and I haven't studied it at all. Pretty confident I could walk in and pass it with no thought if I actually cared about getting it.Technically it's possible via a built in proxy server on the MSFT stuff, but it really doesn't add any significant security. What it does do is wrap the connection with an encrypted tunnel. Not that very many encryption protocols are really holding up all that well these days when targeted for real audits.
No offense to the local PoA CISSP, but I know at least two who have been CISSPs that long, who couldn't secure anything if they tried. Nether had ever worked as an admin and only knew theory. A significant problem in the Security biz these days. Take a test, you're a security engineer. CISSP is a large amount of data but it's still possible to get through it without much real experience. It has a work experience requirement in security related work, but there's all sorts of ways to cheap out on those.
I've seen desktop support people who did nothing more than load virus scanners for desktop security for a living, call that the experience necessary. Maybe it's changed since then, but I doubt it.
SANS certs and using students' work as their own knowledge library, sure paid for a nice house on Maui for Northcutt though, that's for sure.
denverpilot
Tied Down
LOL. Not really. Most IT certifications based on ideals and not specific equipment, are a joke. CISSP rises to "almost not a joke" level, amazingly. But it's still pretty laughable.
Here's what PCI says one needs, out of many things, to be certified...
"All unnecessary functionally on devices and computers within the cardholder data environment have been disabled."
I could make a pretty good case that the mouse and mouse drivers aren't truly "necessary". Get used to running Windows with the keyboard kiddies. Haha.
denverpilot
Tied Down
They also say I need a published company security policy. They don't say it has to be any good! LOL.
(Granted some peoples are audited, but we aren't that important.)
"Set your password to 'password1'." Sounds like the beginning of a beautiful security policy to me, how about you? LOL
(Granted some peoples are audited, but we aren't that important.)
"Set your password to 'password1'." Sounds like the beginning of a beautiful security policy to me, how about you? LOL
jesse
Touchdown! Greaser!
Much of what PCI asks for is just policy, and that policy can be essentially anything because there is no guidance on the subject.
I suggest folks maintain basically a set of policies to meet PCI precisely and *NOTHING* more. If you want more policy, go at it, but do that in additional policies that have nothing to do with what you show the auditors.
- Joined
- Apr 18, 2013
- Messages
- 4,091
- Location
- The city of Townsville
- Display Name
Display name:
Mantis Toboggan, MD
jesse
Touchdown! Greaser!
please delete above, or edit his quote out, he is banned.
Bird Man
Pre-takeoff checklist
You are fine. As long as your browser isn't going through their proxy at the time, you are good to go.