Solved

terminal services WAN security

Posted on 2003-12-01
14
3,780 Views
Last Modified: 2010-04-11
I have a few questions about terminal services. I have been using pcanywhere when I need to remote into our servers through the internet. I would like to use terminals services but I was wondering about security. Everywhere I have read its being claimed that terminal services is very secure to use through the internet. What kind of encryption does terminal services use?

I have a sonicwall with VPN capabilities. I was going to use vpn to gain LAN through the internet and then use terminal services for remote desktop (just for ease of use for multiple terminal server computers) would this be more secure than just using port forwarding and opening up the firewall for terminal services on port 3389.

Also what about licensing? From what  I can understand on Microsoft's website it says that if I have 50 server 2000 cals then this allows me to run 50 client terminal services?

Thanks,
AD
0
Comment
Question by:illtbagu
  • 4
  • 2
  • 2
  • +6
14 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 9851285
Hi illtbagu,
As far as licencing, you are allowed two  concurrent connections to EACH server for remote administration.

PeteL
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9851296
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9851300
0
 
LVL 1

Author Comment

by:illtbagu
ID: 9851517
I got the port part if you noticed in my opening post :)
I was just wondering about any security issues there are with terminal services? including using terminal services over the WAN (internet). Only myself and 1 other will be using this service, and we will only be using it for remote desktop. Also on the windows NT machine I have Im not seeing this as a option to add or remove from the windows NT setup under add remove program files like in server 2000. how can I get my hands on terminal services for NT. Is this something that gets installed during the initial install of NT.

Also 1 other thing. I tried to install terminal server under add remove windows 2000 components on 1 of the server 2000 machines running service pack 3 and its asking for the service pack 3 disk. I do not have the disk. when i browsed for the files its asking for they are not all on the machine. how can i get this installed.

Thanks,
AD
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 50 total points
ID: 9851866
>>machine. how can i get this installed.
You need to find the i386 directory and point it at that either on the CD of another server, I always copy the i386 directory to my servers C:\ drive to negate this problem

>>I was just wondering about any security issues

Well opening any port on the firewall is a security risk, but bear in mind by default only admins can log on, as long as you keep it like this you should be OK, you can let individual users log in for remote administration but I usually do this on a user to user basis

Pete
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9854462
> Everywhere I have read its being claimed that terminal services is very secure to use through the internet

Nothing is secure on internet, that is as exposed as you can get.

Try this for list of ports for supporting users other than yourself:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/exchange/exchange2000/reskit/resguide/appendb.asp
0
 
LVL 24

Expert Comment

by:SunBow
ID: 9854513
> Microsoft's website it says that if I have 50 server 2000 cals then this allows me to run 50 client terminal services?

OK, and remember that is above and beyond any desktop licensing, not to mention the applications themselves, which would be what? eMail?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 5

Assisted Solution

by:jeffkearns
jeffkearns earned 100 total points
ID: 9855151
> I have a sonicwall with VPN capabilities...

If you have access to a VPN, then use it. There is no comparison - don't open the ports.

> what about licensing...

There are two types of licenses for Windows 2000: regular CALs and those for Terminal Services. If you plan to only use TS for remote administration, it's a moot point. The TS licenses only apply to non-administrator accounts or if you need more than two people to log in at a time. Just make sure to pick the remote administration mode when setting it up.

> on the windows NT machine...

For NT you would have to have a special version of NT. If TS isn't already there, you won't be able to add it. Stick with pcANYWHERE.

> its asking for the service pack 3 disk...

Either follow PetLong's advice above or re-download the service pack from Microsoft. Also, SP4 has been out for a long time. Now might be a good time to install it.

Jeff
0
 

Accepted Solution

by:
jbueling earned 150 total points
ID: 9872618
Hi Iltbagu.  
To answer you questions, no, term server is not a secure method of sending information over the internet.  
What MS reccommends is wrapping your term server session in IPSec to encrypt the connection:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315055
All the best,
  John
0
 
LVL 1

Author Comment

by:illtbagu
ID: 9884707
John or anyone for that matter help,

I created and assigned the new policy using Microsoft's suggestion like john had suggested, but it seems that only 1 policy can be assigned at a time. When I assigned the new policy I created it turned off any existing policy that might have been assigned. As of right now there is 4 policies
client (respond only)
secure server (requires security)
server (request security)
and the 1 I created secure terminal service connection

How can I tell what policies were previously assigned if any. Why can I only assign 1 policy.

Thanks,
AD
0
 

Expert Comment

by:mikelnelson
ID: 10038751
0
 

Expert Comment

by:dahc521
ID: 10052836
I use Sonicwall VPN and TS also.  If you are tunneled, then you are secure.  I use remote desktop when I'm off-site.  If I don't have access to the VPN key, I use the live addy that NAT's to my TS box.  You can also use TSWeb, which is really cool, too.  
If you run your 2000 or newer box in Administration mode, you can TS in with one session for remote administration which I am almost certain only requires a 2000 Server CAL, not a TS CAL.  
0
 

Expert Comment

by:NetMasterX
ID: 10531548
What ports are needed through a firewall to get licenses from a license server?

Tx,

Bob
0
 

Expert Comment

by:VegemiteToast
ID: 10729012
Dahc521

Can U give me some clear details on setting up the VPN on sonicwall, what client do U use? what is "live addy"? sorry if these questions are obvious but i'm very new to VPN's. I'm trying to set up a sonicwall VPN to 2003 server for Terminal services running a single app for three remote users. I am purchasing terminal licences.

Thanks for your time
PhillB
0

Featured Post

Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now