Remote Desktop Web Connection security

Posted on 2004-03-29
Last Modified: 2008-02-01
I have installed the TSWeb service on IIS on a win2k machine on a DMZ outside my network.  I have tried looking on the internet for various white papers on the security of TSWeb, i.e what are the backdoors, are there any ways to make it more secure (I have changed the port it uses, and run the IIS lockdown wizard), and cant find anything.  Anyone out there know how to lock it down??

Question by:D_Hartup
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

fcisler earned 125 total points
ID: 10708024
i'm not sure on security myself, but personally theres no way i would ever put it directly on the web. I use TS through a SSH tunnel. I use SSH on my bsd machine and forward the port through tunneling. Very secure. SSH is 1024bit encryption, and besides, even if you hack my SSH, you still need to know my internal IP to tunnel the port into. SSH is also avaliable on windows, do a search on google.

Expert Comment

ID: 10708380
You're better off using a VPN to access Terminal Services if you don't want to expose your internal servers to the Internet.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 10710147
The RDP protocol that M$ uses in TS is no sloutch, it is not easily decyphered, it's actually very secure considering the source (M$)
Changing the port is a good step, a firewall is the best step, leave only open what you need to leave open. Disable all unnecessary services, such as
Remote Registry, Messenger Service- And if you do not need to connect to other M$ machines, or share folders on the internet (tisk tisk) then disable the Server Service. Actually I am not sure what effect that will have on iis, the server service... shouldn't have any really, its for smb file shareing and allowing M$ connections.
With M$ you'll also need AV, it's just a reality- I recommend Mcafee. For a FW I recommend ZoneAlarm. You've used the iis lock-down tool, that's a start- read more about iis best practices and keep up with patches for all your componets.
Security isn't a Program, it is a Process- "Hackers" look for the easiest way in... and tsweb probably isn't it to begin with :)
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Expert Comment

ID: 11831399
fcisler, how did you setup TS through the SSH tunnel? i forwarded port 3389 to 3390 through and ssh session opened via putty but when i try typing "http://localhost:3390/tsweb" i don't get anything.
any help would be greatly appreciated.


Expert Comment

ID: 11831505

well thats because 3389 is not the TS web component, and 3389 to 3390 is to mean 2289 local to 3390 remote? will not work. remote side is running on 3389.
My situation is that i have a FreeBSD machine with a constant tunnel open, and since TS does not run on that i have 3389 allowed to accept connections from any client. Best approach would be to use a machine without TS and do 3389 to 3389 and just open RDP and for host type "localhost"

a side note though:
i have encountered situations on XP pro where even if RDP is not enabled on the localhost, and you use SSH 3389:3389, it will tell you that you cannot open a connection to localhost. In that situation, i allowed remote connections to port (local ports accept connections from other hosts, in putty), and used another machine (so run ssh on "snoopy" and have "peanuts" RDP into "snoopy")
If you have access to a linux machine (i belive this is correct, if not it's pretty close)
ssh -l username -g -L 3389:ip.address.of.remote.side:3389
i sometimes like the tunnel to be open for, say, 15 minutes, then close automatically
append -f sleep 300
-f tells it to run a command then go into background mode
sleep x tells it to sleep for x seconds
hope this helped

Expert Comment

ID: 11831653
just re-read.....hmmmm....for the TS web, i am not completely positive if the active X is run on client or server side, i would say client. In that case, you probally still need 3389 and the webserver port (80 i guess? linux add another -L 80:ip.addy:80, or putty is self explanatory) and then in that case it may still be localhost or may be name of the server....but my question is....why? why not use TS client (the .exe?) if having it on the machine is a problem, zip it or just throw it on an outisde share, "run from current location" and eliminate an un-needed step. as for security, i just looked up the XP ts client - Maximum encryption strength: 128 bits. Now heres the tricky part - i don't know if it is encrypted for the connect, or if all information is encrypted. It dosen't matter much to me, but let me pull up a paper on SSH security.
I use OpenSSH on my FreeBSD machine at home and here
looking on
"Possible Ciphers:
DES (weak, for compatability purposes)
Not only is the inital stage of SSH encrypted, but every stage of traffic thereafter is.
No offense, but whatever you need this for is not something that someone is going to take their time to even break 56 bit encryption, but you had asked, so here it is.

-end rant- ;)
my suggestion: dump the tsweb, use the exe. tsweb adds a layer of complication.

Expert Comment

ID: 11833373
thanks for all the info. i figured it out half-way: had to ssh tunnel port 80 as well but then i had problems with the hostname being recognized. anyway, i normally have been using the remote desktop client. i actually discovered that a web client existed not too long ago. but i'm just messing around with it more than anything. yea, it is impractical to open up an ssh tunnel for rdesktop over the web when i could just use the exe client. basically, i'm just trying to get it to work for the sake of getting it to work. not for anything urgent... anyway, remote desktop is pretty cool. much faster than vnc. i love it.

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question