?
Solved

Question on terminal server access security

Posted on 2004-10-05
13
Medium Priority
?
145 Views
Last Modified: 2010-04-14
In order to ad a level of security I have created a custom client version that allows me to deny terminal server access to anyone that does not have this version.  This works great when not using a VPN to connect.

However I have a situation where I am implementing wyse win terminals which do not support custom clients.

So my question is what other techniques are out there for blocking access to terminal servers.   Such as mac address perhaps.

Thanks in advance
0
Comment
Question by:Zoldy2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12230624
it all depends on your network setup really which you didn't tell us about... for example if you have  a quality firewall you would want to only allow access to your terminal server ports (3389) from particular IP addresses.
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 12230654
That is not possible as the clients IP changes.   I thought changing the port number but that is not quite as secure...
0
 
LVL 8

Expert Comment

by:Chipm0nk
ID: 12230743
Don't know if this is what you're fishing for, but...

You can set-up your Terminal Server as an IPSec secured server ('require IPSec' in the IPSec policy).  You will need to enable IPSec clients ('respond' policy) on all your clients and to issue them with certificates from your cert server (normally on one of your A/D servers) that will be used to set up the IPSec tunnel with the TS.  This will provide you with a high level of security through encryption and authentication for your TS users and works below the app level, so you need not worry about the client type.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 2

Author Comment

by:Zoldy2000
ID: 12230750
I am not sure I can do that with the Win Terminals but I will certainly check.   thank you.
0
 
LVL 8

Expert Comment

by:Chipm0nk
ID: 12230753
BTW: with IPSec, you will need to allow port 500 and IPSec packets through your firewalls/routers, but can effectively block port 3389 once all your clients are using IPSec.
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 12230772
can you explain to me how this works to prevent only system I allow access to the server.   How is the client configured to be unique?
0
 
LVL 25

Expert Comment

by:mikeleebrla
ID: 12230925
actually changing the default TS port number would make it MORE secure,, not less.  since anytime anyone does  a port scan on you and sees that port 3389 is open,, they automaically know which app to use to hack into that port,, if you changed it they would have no clue that port xxxx is your TS port.
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 12230953
The way it is currently is the most secure with a custom client.   If you don't have it you don't get in.
0
 
LVL 8

Expert Comment

by:Chipm0nk
ID: 12232907
With IPSec your clients need to authenticate in order to set up the tunnel.  This guarantees that the client is one that you have authorized to access the machine.  You can use certificates to do this, placing them on USB keys makes this very secure as the user can pocket the key when away from his/her system.  If you don't want to use certs, you can use a shared secret (i.e. password), but this must be the same on both sides and hardcoded.

If you secure the infrastructure, you don't need to worry about the applications...
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 12236925
After considering all of my options I have decided to continue doing what I am doing (adding the client version found on the wyse terminals) and setup connections through a custom port on my firewall for another layer of securiity.

How is that done.   Do I have to setup my terminal server to accept connections on another port or is all of this done on my firewall.  

My firewall is a fortinet product and has all of the necessary features.
0
 
LVL 8

Expert Comment

by:Chipm0nk
ID: 12238206
You have 2 options.  Either setup your firewall to mask port 3389 as another port on the outside, i.e. the firewall accepts connections on port 9999 and forwards them to your server on port 3389.  The other option is simpler and just involves changing the port that your TS runs with on your server, to 9999 for example, and then setting up port forwarding on the firewall to forward all packets received on port 9999 to your TS box.
0
 
LVL 2

Author Comment

by:Zoldy2000
ID: 12238363
I posted a simlar question to the firewall experts and they agree with my original thoughts.   that changing the port number really does not do anything.   A port scanner will still pick it up.   back to the drawing board.

the reason the custom client is so secure is not only do you have to know what the number is.   You have to know how to change it.   Which is not that simple.
0
 
LVL 16

Accepted Solution

by:
robrandon earned 1500 total points
ID: 12262243
Not sure if you implemented a solution, but you may be able to setup MAC address filtering on your switch.  I know that most Cisco and Nortel switches support such.
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses
Course of the Month13 days, 5 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question