Solved

Security, FIPS

Posted on 2008-06-12
5
548 Views
Last Modified: 2013-11-08
What is the best implementation for security using TS? I am looking at am impletation of the server possibly to the outside on port 3389.  Also is running FIPS security best option and enough from a security standpoint?  Any security recomendations would be a huge help.

0
Comment
Question by:Jack_son_
  • 3
5 Comments
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 125 total points
ID: 21774828
FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS incompatible 3DES. The problem you run into with enforcing FIPS encryption is that any client not configured to use FIPS compatible encryption algorithms via via the group policy setting will be unable to establish a connection. Using this setting on clients will inhibit their ability to utilize certain other SSL protected resources like certain websites configured to use the weaker RC4 for SSL communications. The "High" encryption setting is usually sufficient in most non-military/government implementations..

The recommended solution to securing your terminal server would be to not allow direct RDP access from the internet but rather require an alternate form of authentication/encryption like a VPN tunnel or even SSH for more advanced users.

If a VPN is not possible, I would recommend hardening the Terminal Server's OS, placing the server in a DMZ on your network, and if possible using your firewall to limit access to the server via IP address.

Keep in mind, this is a Windows OS you are exposing to the internet, it is a popular OS so alot of exploits are known and targeted, it is critical to keep all security and anti-malware applications up-to-date.

Recommended Reading:

Locking Down Windows Server 2003 Terminal Server Sessions
(http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebbf834fc6f7/Win2003_Teminal_Server_Lockdown.doc)

Windows Server 2003 Security Guide
(http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en)

How Secure are Windows Terminal Services
(http://www.windowsecurity.com/articles/Windows_Terminal_Services.html)
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21774837
Correction in first sentence:

FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS >>compatible<< 3DES.

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 21778441
TS when set to high encryption, uses a 128-Bit RC4 stream cipher, which is pretty good, however there is the possibility of a mitm attack or brute force (using TSGrinder from HOG or similar) password guessing.
http://www.oxid.it/downloads/rdp-gbu.pdf
VPN'ing to the server or LAN and then using TS/RDP to login the server is the recommended path
I'd suggest if you plan on opening TS to the outside you can do several things. Rename the local administrator account, it cannot be locked out so this makes it the ideal target for TSGrinder, in addition to that, if want, this is the only time I'd suggest using a blank password. You cannot TS to a machine when the password is blank, just remember to change the administrator name. Change the listening port number, maybe use port 80 if you don't have a webserver, or use 443, even TS's own port backwards 9833.
http://support.microsoft.com/kb/306759
The above poster also has good info!
-rich
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21832690
Was the information provided helpful?
0
 

Author Comment

by:Jack_son_
ID: 21837315
Thanks, this info has helped with deploying the TS
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now