[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 561
  • Last Modified:

Security, FIPS

What is the best implementation for security using TS? I am looking at am impletation of the server possibly to the outside on port 3389.  Also is running FIPS security best option and enough from a security standpoint?  Any security recomendations would be a huge help.

0
Jack_son_
Asked:
Jack_son_
  • 3
2 Solutions
 
raptorjb007Commented:
FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS incompatible 3DES. The problem you run into with enforcing FIPS encryption is that any client not configured to use FIPS compatible encryption algorithms via via the group policy setting will be unable to establish a connection. Using this setting on clients will inhibit their ability to utilize certain other SSL protected resources like certain websites configured to use the weaker RC4 for SSL communications. The "High" encryption setting is usually sufficient in most non-military/government implementations..

The recommended solution to securing your terminal server would be to not allow direct RDP access from the internet but rather require an alternate form of authentication/encryption like a VPN tunnel or even SSH for more advanced users.

If a VPN is not possible, I would recommend hardening the Terminal Server's OS, placing the server in a DMZ on your network, and if possible using your firewall to limit access to the server via IP address.

Keep in mind, this is a Windows OS you are exposing to the internet, it is a popular OS so alot of exploits are known and targeted, it is critical to keep all security and anti-malware applications up-to-date.

Recommended Reading:

Locking Down Windows Server 2003 Terminal Server Sessions
(http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebbf834fc6f7/Win2003_Teminal_Server_Lockdown.doc)

Windows Server 2003 Security Guide
(http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en)

How Secure are Windows Terminal Services
(http://www.windowsecurity.com/articles/Windows_Terminal_Services.html)
0
 
raptorjb007Commented:
Correction in first sentence:

FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS >>compatible<< 3DES.

0
 
Rich RumbleSecurity SamuraiCommented:
TS when set to high encryption, uses a 128-Bit RC4 stream cipher, which is pretty good, however there is the possibility of a mitm attack or brute force (using TSGrinder from HOG or similar) password guessing.
http://www.oxid.it/downloads/rdp-gbu.pdf
VPN'ing to the server or LAN and then using TS/RDP to login the server is the recommended path
I'd suggest if you plan on opening TS to the outside you can do several things. Rename the local administrator account, it cannot be locked out so this makes it the ideal target for TSGrinder, in addition to that, if want, this is the only time I'd suggest using a blank password. You cannot TS to a machine when the password is blank, just remember to change the administrator name. Change the listening port number, maybe use port 80 if you don't have a webserver, or use 443, even TS's own port backwards 9833.
http://support.microsoft.com/kb/306759
The above poster also has good info!
-rich
0
 
raptorjb007Commented:
Was the information provided helpful?
0
 
Jack_son_Author Commented:
Thanks, this info has helped with deploying the TS
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now