Solved

Security, FIPS

Posted on 2008-06-12
5
553 Views
Last Modified: 2013-11-08
What is the best implementation for security using TS? I am looking at am impletation of the server possibly to the outside on port 3389.  Also is running FIPS security best option and enough from a security standpoint?  Any security recomendations would be a huge help.

0
Comment
Question by:Jack_son_
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 125 total points
ID: 21774828
FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS incompatible 3DES. The problem you run into with enforcing FIPS encryption is that any client not configured to use FIPS compatible encryption algorithms via via the group policy setting will be unable to establish a connection. Using this setting on clients will inhibit their ability to utilize certain other SSL protected resources like certain websites configured to use the weaker RC4 for SSL communications. The "High" encryption setting is usually sufficient in most non-military/government implementations..

The recommended solution to securing your terminal server would be to not allow direct RDP access from the internet but rather require an alternate form of authentication/encryption like a VPN tunnel or even SSH for more advanced users.

If a VPN is not possible, I would recommend hardening the Terminal Server's OS, placing the server in a DMZ on your network, and if possible using your firewall to limit access to the server via IP address.

Keep in mind, this is a Windows OS you are exposing to the internet, it is a popular OS so alot of exploits are known and targeted, it is critical to keep all security and anti-malware applications up-to-date.

Recommended Reading:

Locking Down Windows Server 2003 Terminal Server Sessions
(http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebbf834fc6f7/Win2003_Teminal_Server_Lockdown.doc)

Windows Server 2003 Security Guide
(http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en)

How Secure are Windows Terminal Services
(http://www.windowsecurity.com/articles/Windows_Terminal_Services.html)
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21774837
Correction in first sentence:

FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS >>compatible<< 3DES.

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 21778441
TS when set to high encryption, uses a 128-Bit RC4 stream cipher, which is pretty good, however there is the possibility of a mitm attack or brute force (using TSGrinder from HOG or similar) password guessing.
http://www.oxid.it/downloads/rdp-gbu.pdf
VPN'ing to the server or LAN and then using TS/RDP to login the server is the recommended path
I'd suggest if you plan on opening TS to the outside you can do several things. Rename the local administrator account, it cannot be locked out so this makes it the ideal target for TSGrinder, in addition to that, if want, this is the only time I'd suggest using a blank password. You cannot TS to a machine when the password is blank, just remember to change the administrator name. Change the listening port number, maybe use port 80 if you don't have a webserver, or use 443, even TS's own port backwards 9833.
http://support.microsoft.com/kb/306759
The above poster also has good info!
-rich
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21832690
Was the information provided helpful?
0
 

Author Comment

by:Jack_son_
ID: 21837315
Thanks, this info has helped with deploying the TS
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question