Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Terminal Services & Security

Posted on 2004-08-18
2
Medium Priority
?
151 Views
Last Modified: 2013-12-04
Hey All,

   I don't have one actual question, I'm looking for suggestions/advice and a couple of answers.  I am setting up a TS server inside my firewall.  The people I will have using it need access to Outlook (& conversely, our exchange server), a db client app, and possibly a network share or two.  What is the most secure method of setting this up?  Some of the issues I have are:  

- Should I have them VPN into the TS machine (NAT on a non standard port) itself rather than our regular VPN server?
- Should/can this sever be on it's own domain or workgroup?
- Should/can this server be on it's own subnet?
- What else should I consider in locking down this access?

Basically, I need the MOST secure setup I can have in this situation.  If the network share is a problem (as I see it), that's not critical.  Outlook and the Client app are.
0
Comment
Question by:smithware
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1500 total points
ID: 11843144
TS is pretty secure from the get-go, it's amazing I know.. but there it is. You can step up the encryption level on the server they are connecting to, that is what tells the client what level of encryption their session is going to be encrypted at. There is nothing plain-text in a TS or RemoteDesktop session, besides the UserName when you first auth... but other than that, it's all encrypted. If you like you can VPN on top of that- then the UserName can't be seen PT any more. The main attack on TS is trying to BruteForce the Local Administrator account, because this account cannot be locked out- they do get kicked off after 3 failed password attempts, but the account will not lock out. It's simple to change the TS port that TS listens on, however you must use the RemoteDesktop XP client to connect to that TS Server simply, or each client will need a .cns file copied to it... read this article for more detail
http://support.microsoft.com/?id=187623

but if using the XP RD client, all you do is type in the name or ip of the TS server, and then add a colon and the port
terminalserver.example.com:6969
or
10.10.10.10:6969
The XP RD Client can be loaded onto win-2k and works well. http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx

Since the TS is going to have to use OutLook, if the TS is not part of the domain... then the user's will be prompted (often) to enter their password to access their email- not just at first sign on... but a few more times, probably twice an hour.
The subnet, and sharing is up to you.... if this server is internal... treat it like any of your other servers... get AV, M$ Updates, setup event logging etc...
If it's going to be directly on the internet, be sure there is a firewall in front of it to turn off any unwanted ports (455,135-139 etc) and only allow the changed TS port. Choose a popular port, or an unpopular one, it's up to you.  Above all, do not run an M$ box that users use, espically with email involved, with out AV... McAfee is great for a TS Server, as it is able to run on each "desktop" session.
-rich
0
 

Author Comment

by:smithware
ID: 11847059
Decent suggestions, but perhaps I should clarify myself....  I'm not really worried about security from the outside.... what I really want to do is secure my network from one of the people I have to give TS access to... I want to make sure he doesn't have access to the rest of my network....  while my internal security is fairly strong, I'd like to know how to make it even more secure....   definately I'd like to put him on a different domain, I think.... that would take my normal security right out of play.... and he doesn't really need access to domain resources.   He'll need to have a domain account on my main domain for the exchange ser ver, but it doesn't have to have logon rights.  What else can I do?  different subnet with routing tables to connect to the 2 servers he needs?
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question