Solved

Security, FIPS

Posted on 2008-06-12
5
551 Views
Last Modified: 2013-11-08
What is the best implementation for security using TS? I am looking at am impletation of the server possibly to the outside on port 3389.  Also is running FIPS security best option and enough from a security standpoint?  Any security recomendations would be a huge help.

0
Comment
Question by:Jack_son_
  • 3
5 Comments
 
LVL 6

Accepted Solution

by:
raptorjb007 earned 125 total points
ID: 21774828
FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS incompatible 3DES. The problem you run into with enforcing FIPS encryption is that any client not configured to use FIPS compatible encryption algorithms via via the group policy setting will be unable to establish a connection. Using this setting on clients will inhibit their ability to utilize certain other SSL protected resources like certain websites configured to use the weaker RC4 for SSL communications. The "High" encryption setting is usually sufficient in most non-military/government implementations..

The recommended solution to securing your terminal server would be to not allow direct RDP access from the internet but rather require an alternate form of authentication/encryption like a VPN tunnel or even SSH for more advanced users.

If a VPN is not possible, I would recommend hardening the Terminal Server's OS, placing the server in a DMZ on your network, and if possible using your firewall to limit access to the server via IP address.

Keep in mind, this is a Windows OS you are exposing to the internet, it is a popular OS so alot of exploits are known and targeted, it is critical to keep all security and anti-malware applications up-to-date.

Recommended Reading:

Locking Down Windows Server 2003 Terminal Server Sessions
(http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebbf834fc6f7/Win2003_Teminal_Server_Lockdown.doc)

Windows Server 2003 Security Guide
(http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB&displaylang=en)

How Secure are Windows Terminal Services
(http://www.windowsecurity.com/articles/Windows_Terminal_Services.html)
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21774837
Correction in first sentence:

FIPS encryption is certainly more secure as you change algorithms from the faster but weaker RC4 encryption to the FIPS >>compatible<< 3DES.

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 125 total points
ID: 21778441
TS when set to high encryption, uses a 128-Bit RC4 stream cipher, which is pretty good, however there is the possibility of a mitm attack or brute force (using TSGrinder from HOG or similar) password guessing.
http://www.oxid.it/downloads/rdp-gbu.pdf
VPN'ing to the server or LAN and then using TS/RDP to login the server is the recommended path
I'd suggest if you plan on opening TS to the outside you can do several things. Rename the local administrator account, it cannot be locked out so this makes it the ideal target for TSGrinder, in addition to that, if want, this is the only time I'd suggest using a blank password. You cannot TS to a machine when the password is blank, just remember to change the administrator name. Change the listening port number, maybe use port 80 if you don't have a webserver, or use 443, even TS's own port backwards 9833.
http://support.microsoft.com/kb/306759
The above poster also has good info!
-rich
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21832690
Was the information provided helpful?
0
 

Author Comment

by:Jack_son_
ID: 21837315
Thanks, this info has helped with deploying the TS
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question