How to setup securely with transitory workers?

I was asked how I might set up a small business server in an office that has
"migrant workers". (mortgage or real estate processing with people given
cubicles and they drag in their own laptops). Also, there's very high
turnover in this environment, so management of accounts is going to be a pain
for someone (not me) that will need to be taught how to do this.

The laptops have the (high) potential of being infected, and there's a
natural reluctance to put them on the network.

Someone came in suggesting that they put in a 2nd network going out to the
internet with a DSL connection and let people connect up to that. They would
log in by going out the DSL network and VPN back in on the normal network
coming in off a T-1. to a SBS 2003 server. I was worried about split
tunnelling in this instance (someone attacks their machine while connected to
the internet, but uses that as a jump off point into the VPN'ed access into
the server)

I suggested they could skip the extra DSL line, put in a different subnet
with a switch to allow all those connections. Another port of the switch
would go into the DMZ side of a SBS 2003 server with an ISA 2004 firewall.

Would it be wiser to do that kind of a setup but restricting these users to
a Terminal Services client connection and use that to buffer the server from
the workers or better to go for a VPN connection and try to get Network
Access Quarantine Control working to at least attempt to force the laptop
users to some semblance of a "secure platform"?

The 2nd option sounds more painful to administer, but the first has lots of
TS licenses that can get expensive. And isn't the TS session unencrypted?
How to encrypt it to keep wanna-be ID theft people from sniffing the network
(hoping nobody drags in a hub and has people connect their laptops to it). I
would also think that VPN access (either way, but without TS) would allow
someone to scoop up data and pull it to their laptops (and onto USB/hard
drives/etc). Terminal Services sounds better and better, but am worried
about insecure protocols. Am I missing something by looking at TS as a
solution?

Imagine if it was your loan being processed here... how would you want your
social security # protected?

(This is going to be a training session for me, as I'm not familiar with SBS
2003 - I've helped out in peer to peer setups in churches and non-profits and
had enough "fun" at the client level at those locations...)

Zman


Zman

> And isn't the TS session unencrypted?

Well, you have a lot of things to chew on here, but, I can tell you that a
W2K3 TS session is encrypted. You cannot turn it off.

-Frank