We help IT Professionals succeed at work.

How do I Restrict Remote desktop (RDP) with ISA server 2004 - and limit incoming SMTP servers

1,029 Views
Last Modified: 2013-11-21
Hi,

I have to look after am MS small business server 2003 premium usingh ISA server as the firewall, and two network cards.

Currently I have a rule with allows a remote desktop connection directly to the server, but from any location on the internet, so I am havein go rely on a strong password.

How do i create a rule which will restrict RDP access so only a selected few IP addresses can connect to administer the server.

Also follwoing on from this rule, i would like incmoing smtp mail to be only accespted from one DNS name (or a selection of IP addresses), and for the server to deny SMTP acesss fromj anything else.

Will anyone please make it simple for me.

Thanks

John

Comment
Watch Question

Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
I'd strongly suggest that you don't restrict RDP access to select IP addresses because if you have an emergency and need someone trusted to handle for you, then you're out of luck.  Using a VERY strong password is the best way to keep your server secure.  

And what's your goal of restricting SMTP connections?  Do you only want to receive email from those few people?  

Can you describe what you are ultimately trying to protect against?  Because I've often found that folks focus on specific areas that they have heard may be a security problem, while ignoring other very basic security practices.

I'm not saying that you fall into this category... at least until I know more... but your question sure sounds as though you may be a candidate.  :-)

Jeff
TechSoEasy
Keith AlabasterEnterprise Architect
CERTIFIED EXPERT
Top Expert 2008

Commented:
Jeff has a point on the rdp. If you really want to do it then you use the Toolbox within the gui to create Computer Objects matching the IP addressses of the devices you want then place these objects in the FROM box in the publishing rule. Personally I leave this open and use the strong password approach myself also.

Did you mean receive email from just one smtp server rather than from one dns server? Unless you are pulling email from an ISP's mail server rather than directly from sending mail servers I can't see the benefit. However, if your REALLY want to do it then the same approach can be used as I mention above for RDP.

I would suggest also (maybe Jeff can confirm this as ISA is my area but SBS is definitely his) that if you ever ran the SBS wizards, it would likely create the rules again to meet best practice and this could remove your restrictions.

Keith

Author

Commented:
i think if i had an emergency and needed someone elso to help, I could allow all RDP connections, then after the aid, I could restrict it again.  We have a few trused people and it would be these people's IP addresses that would be allowed.

The reason for blocking all but a set of SMTP servers is that all our incoimng mail is directed to our ISP that offers the services of scanning for viruses & spam off site, and then forwarding the "safe" mail to our SMTP server.  This service off loads the processing of virus scanning away from the exchange server, and reduces bandwidth usage.

I hope this explains my questions.
Principal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for you thoughs.  We are in fact using a similar service http://www.maildefender.co.uk/products/maildefender which does do SMTP scanning for spam & viruses.  So we only want these servers to send mail to our exchange.  Hence the question how do i creat a rule that only allows SMTP traffice from certain IP addresses?

I still want to restrict the RDP access to specific IP addresses, but when i tried to createa rule it still allowed all ipp addresses in.  So i think i need the help in a simple format.

Thanks
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Well, in that case, you really should speak with MailDefender for their recommended configuration.  Because if they support SenderID filtering, you can just use that:  http://www.msexchange.org/tutorials/Configuring-enabling-Sender-ID-filtering-Exchange-2003-SP2.html.  This would be the simplist way to solve the problem because essentially you would accept only from them and reject all others.

I really have no idea why you would want to restrict RDP access.  Honestly, you are painting yourself into a corner.  If you are that concerned about security then you should really be looking at a stronger level of authentication and encryption which you can read about here:
http://technet2.microsoft.com/windowsserver/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
This is because even if you restrict a connection from a specific IP address, that IP address can be spoofed (in addition to being inconvenient).

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Another option for RDP, by the way, is to close port 3389 entirely to only allow RDP via VPN.  

Jeff
TechSoEasy

Author

Commented:
Jeff,

I Really appreciate the time you give in answering my questions....and I finally take on board what you say about restricting RDP access, and I will leave it well alone.

With reagard to the maildefender settings, all i need to do to the ISA server is to create an access rule that only allows SMTP mail from one IP address (which is the ISP's mail server) and not accept any mail from any other SMTP server.  Please can I have the simple instructions for setting up the access rule.

Thanks
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
There should already be a rule in ISA Server for inbound SMTP.  You would need to modify that rule to accept from the single IP address rather than from ALL.

I can't give you much more in the way of instructions for that because I really have started moving away from using ISA and don't have a test box that I can use at the moment.

Jeff
TechSoEasy
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
Is there a reason that you gave a "C" grade?  Because really that shouldn't be given unless an expert fails to respond to your follow-up questions.  Since you never provided that opportunity, it's totally out of line here.

Perhaps you might want to review:  https://www.experts-exchange.com/help.jsp#hi73

An explanation would certainly be appreciated.

Jeff
TechSoEasy

Author

Commented:
Jeff,

Sorry you are quite correct...I didn't mean to put a c grade, i meant to click the "a" option.  As you were very helpful, and followed up all the questions.

I think I must have just  I must have miss clicked.  Is there a way that I can correct my  mistake?
Jeffrey Kane - TechSoEasyPrincipal Consultant
CERTIFIED EXPERT
Most Valuable Expert 2016
Top Expert 2014

Commented:
No Problem... the question has been re-opened.  Please just accept an answer again to close it.

Jeff
TechSoEasy
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.