Solved

Security, FIPS

Posted on 2008-06-12
5
547 Views
Last Modified: 2013-11-08
What is the best implementation for security using TS? I am looking at am impletation of the server possibly to the outside on port 3389.  Also is running FIPS security best option and enough from a security standpoint?  Any security recomendations would be a huge help.

0
Comment
Question by:Jack_son_
  • 3
5 Comments
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 125 total points
ID: 21774828
FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS incompatible 3DES. The problem you run into with enforcing FIPS encryption is that any client not configured to use FIPS compatible encryption algorithms via via the group policy setting will be unable to establish a connection. Using this setting on clients will inhibit their ability to utilize certain other SSL protected resources like certain websites configured to use the weaker RC4 for SSL communications. The "High" encryption setting is usually sufficient in most non-military/government implementations..

The recommended solution to securing your terminal server would be to not allow direct RDP access from the internet but rather require an alternate form of authentication/encryption like a VPN tunnel or even SSH for more advanced users.

If a VPN is not possible, I would recommend hardening the Terminal Server's OS, placing the server in a DMZ on your network, and if possible using your firewall to limit access to the server via IP address.

Keep in mind, this is a Windows OS you are exposing to the internet, it is a popular OS so alot of exploits are known and targeted, it is critical to keep all security and anti-malware applications up-to-date.

Recommended Reading:

Locking Down Windows Server 2003 Terminal Server Sessions
(http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebbf834fc6f7/Win2003_Teminal_Server_Lockdown.doc)

Windows Server 2003 Security Guide
(http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en)

How Secure are Windows Terminal Services
(http://www.windowsecurity.com/articles/Windows_Terminal_Services.html)
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21774837
Correction in first sentence:

FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS >>compatible<< 3DES.

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 21778441
TS when set to high encryption, uses a 128-Bit RC4 stream cipher, which is pretty good, however there is the possibility of a mitm attack or brute force (using TSGrinder from HOG or similar) password guessing.
http://www.oxid.it/downloads/rdp-gbu.pdf
VPN'ing to the server or LAN and then using TS/RDP to login the server is the recommended path
I'd suggest if you plan on opening TS to the outside you can do several things. Rename the local administrator account, it cannot be locked out so this makes it the ideal target for TSGrinder, in addition to that, if want, this is the only time I'd suggest using a blank password. You cannot TS to a machine when the password is blank, just remember to change the administrator name. Change the listening port number, maybe use port 80 if you don't have a webserver, or use 443, even TS's own port backwards 9833.
http://support.microsoft.com/kb/306759
The above poster also has good info!
-rich
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21832690
Was the information provided helpful?
0
 

Author Comment

by:Jack_son_
ID: 21837315
Thanks, this info has helped with deploying the TS
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This video discusses moving either the default database or any database to a new volume.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now