We help IT Professionals succeed at work.

Remote Desktop Web Connection Config and Security

885 Views
Last Modified: 2013-11-21
Hello could some one please help me out here Im sort of completely lost so any help would be much appreciated.

OK I have a 2K3 AD domain. I have an internal TS Server which our VPN and Remote users use to gain access to certain apps. My boss has tasked me with setting up a web acces page to get access from the web to the terminal server, a bit like Remote Web Workplace in SBS2003.

Ok I have a 2k3 server on the internal network running IIS and hosting the TSWeb web page, I have a rule on the ISA box to allow HTTP and HTTPS traffic from the web pointing to the webserver. I have configured the public IP and paths etc.

I go to an internet browser from the internet type in the public name and I get prompted for my domain username and password

*** 1st issue how secure is this sending of the password from here?

I enter my credentials and viola I get the TSWeb page up no problem. So I enter the name of the terminal server which I want to connect to and I get an error saying that the client could not be found.
 
*** 2nd issue any ideas why this cannot resolve the server name? I thought with the web page being on the internal network I would be able to use the internal name.

So then I enter the internal IP of the Terminal Server, I get a different error this time saying that a network issue may be causing the problem?

*** 3rd question my gut feeling is that traffic across port 3389 (RDP) is being blocked by ISA does this sound right? If I open up the port traffic over the default RDP port how secure is this going to be? Is there any way I can change the port that traffic runs across and if there is could some one please give me advice on how to do this?

And finally if anyone is reading this does this solution sound completely wrong? Am I leaving a giant great big hole in security on our network? I was half surprised I even got the website to publish on the web, so to get this far is quite surprising.
Comment
Watch Question

Top Expert 2007

Commented:
1: If it's HTTPS then you can consider it safe. Do not use HTTP for authentication, as userid and password can easily be sniffed. You should not even allow HHTP to that server on your ISA, only allow HTTPS.
2: From reading your setup I guess that this is because you have not allowed port 3389 to the terminal server.
3: Currently there are only two known vulnerabilities for remote desktop on Server 2003 and XP: a man in the middle attack (even implemented in a well known white hat testing tool ) and a DDOS.
This means that a simple forward like you are considering can be used when you are not in a high security environment (no earth shaking secrets or severe downtime when the TS is down).

You can prevent the MITM attack by using TLS with RDP: see http://technet2.microsoft.com/WindowsServer/en/library/a92d8eb9-f53d-4e86-ac9b-29fd6146977b1033.mspx?mfr=true
Or you could use a VPN of course.

You could change the port, but I see this as security by obscurity. If someone wants to attack you, then it is no additional security at all. Nmap finds your changed port very easily through the emitting RDP signature.

BTW, Vista & Server 2008 are not vulnerable to these attacks.

A strong password policy is a must!
I have implemented direct forwards (hole in the firewall) on RDP in low security environments and never had one cracked. This is 10 years of RDP experience speaking ;-) So choose wisely depending on your environment and potential risks.

On encryption:
The encryption and authentication in remote desktop are actually quit good if you change the default to force stronger encryption.
By default, the encryption level for Terminal Services sessions is set to Client Compatible to provide the highest encryption level that is supported by the client.
Other available options:
- High - This setting provides bidirectional security by using a 128-bit cipher.
- Low - This setting uses 56-bit encryption.
- FIPS Compliant - All data is encrypted by using Federal Information Processing Standard 140-1 validated methods.
All levels use the RSA RC4 encryption.

J.

Author

Commented:
Thanks for your reply.

I have been told under no uncertain circumstances can I publish port 3389, so we are going to use 4125, the ports are open across the ISA box etc but when I go to the web page and try and connect the client is still looking to port 3389 and failing, how do I changethe client from the web site to look at port 4125?

Author

Commented:
I still cant connect even after I have opened the port on the server, I have used wireshark while trying to connect and it has proved that when trying to connect to the server it is trying to use port 3389.

Here is the packet summary
Transmission Control Protocol, Src Port: dtserver-port (4028), Dst Port: ms-wbt-server (3389), Seq: 0, Len: 0

I have attached the error I get for each attempt with IP and with server name.
errorrww.doc
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks for the help.
Top Expert 2007

Commented:
You're welcome.

J.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.