Can terminal server on w2k3 use rpc over http for outside connections?

Thanks in advance for your help.

I currently have one ts up and users have to vpn before they rdp.  I want to eliminate the vpn with a secure connection.  

Thanks again.  
techlindenAsked:
Who is Participating?
 
Cláudio RodriguesConnect With a Mentor Founder and CEOCommented:
There are actually several third party products that will give you RDP over HTTPS on Windows 2003. One of them, 2x LoadBalancer was actually developed based on intellectual property acquired from me. :-)


Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
Brad HoweDevOps ManagerCommented:
Take a read at this.
Essentially, you are opening Port 3389, change the security level to FIPS with is the US encryption standard and add an SSL certificate.
http://www.petri.co.il/securing_rdp_communications.htm 
Cheers,
Hades666
0
 
coolnobleCommented:
Please follow these steps:
- Assign Public & Static IP Address to TS Server
---- Add the public ip address - where your public ip address are being hosting (example: verizon; cogent; speakeasy; sprint, etc.)
- On your firewall - do the one-to-one NAT public ip address translates - private ip address
----- Open port 3389
- Make sure in your dns private ip address translates to ts.company.com

cheers
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

 
Brad HoweConnect With a Mentor DevOps ManagerCommented:
THe only problem with that solution is
A. you are not setting up FIP secure encryption.
B. You are not secure and open to many TS based session hacks.
C. non SSL.
I would never let  a client open 3389 without FIPS and SSL.  This is even a PCI requirement if you are planning for SAS or PCI compliance.
Hades666
 
0
 
techlindenAuthor Commented:
We are going for PCI compliance.  RDP to the open world is what i had before.  I changed to VPN for the time being but looking for another solution.  Will attempt the FIP solution.  

Thanks guys!
0
 
Brad HoweConnect With a Mentor DevOps ManagerCommented:
Hi,
Then TLS/SSL over HTTP with FIP compliance is all you need to configure.
Please read this article.
http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx
Once you have configured it in this fashion, you will pass a PCI compliance test. Just make sure to scan it once you have configured it.
Cheers,
Hades666
0
 
techlindenAuthor Commented:
Thanks guys! Is it possible for me to create a self signed CA without purchasing one?  Anyone have a hint on this process?

Thanks again
0
 
Brad HoweDevOps ManagerCommented:
Yes, You will need to install CA Certificate Authority on any member server and then generate a Certificate. This will at least get you going. If you don't want the certificate trust error, users will either need to install the Trust Root Certificate OR you will need to purchase a true SSL Cert.
http://www.petri.co.il/install_windows_server_2003_ca.htm
Cheers,
Hades666
0
 
Cláudio RodriguesConnect With a Mentor Founder and CEOCommented:
Just one thing here: by using certificates with TS you are still going over RDP. Simple as that.
Only 2008 has support for RDP over HTTPS that is probably what you were asking about (meaning only port TCP 443 would be required to be opened). This is called RDS Gateway and is not supported by 2003 TS.
Again, all you are doing is changing the RDP encryption, nothing else. Still RDP traffic and port TCP 3389 (or another if you change it on the TS registry) in use.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
Brad HoweConnect With a Mentor DevOps ManagerCommented:
Agreed.
Port 3389 would need to open but to be PCI compliant in your given situation, TLS/SSL with FIPS is secure.
In 2k8 you would use RDS Gateway. The Gateway tunnels RDP over HTTPS on the outside.
Cheers.
Hades666
 
0
 
Cláudio RodriguesConnect With a Mentor Founder and CEOCommented:
Well it may be secure from a crypto standpoint. You are still exposing the RDP listener to the outside, what can still be exploited in several ways. That, regardless of the encryption used.
RDP over HTTPS is a different beast in this case and the listener is completely hidden behind the gateway (and actually never contacted by the endpoint, what does happen on the scenario where RDP is opened to the public, regardless of encryption).
So two VERY different approaches from a security standpoint.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
Brad HoweDevOps ManagerCommented:
Agreed, and many people will change the registry to flip the port to a different listening port.  I am not saying it is hte best option, but with the setup he has, this would be his only choice if he doesn't want the VPN connection.
As well, most hackers, usually only scan common ports either way. Only good hackers that are targeting a specific company will do more indepth checking on the endpoints and listeners.
Have a good one Caudio, Always a pleasure.
Best Regards,
Hades666
0
 
techlindenAuthor Commented:
A great discussion here guys :)

My main goal is to maintain security while eliminating the VPN.  RDP over https would be exactly what I had in my head.  So no support on 2k3, and no third party software I could achieve the same or similar results with?

But If i went with RDP, would I still fall under PCI compliance, and should i be able to sleep at night?

Thanks again guys
0
 
Brad HoweDevOps ManagerCommented:
Hi techlinden,

Yes, RDP of HTTPS is not supported in 2003, only 2008.

No, RDP with the settings above is PCI Compliant. Contact (http://www.qualys.com/) for a trial account to test yourself if you are unsure.  Forcing the use of SSL as a transport layer for RDP secure and encrypts the communication so from that point you are secure.

From PCI compliance audits, in most cases users disable external RDP access to a Front facing Server or enable a VPN. However, when RDP access is required you will need to correct the same errors below for and PCI test.

•Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
•Terminal Server Encryption Level is not FIPS-140 compliant

During my consulting, I have helped companies restrict RDP to a specifc set of WAN IP’s, Secure the traffic and encrypt it.

1)      Create a self-signed SSL certificate or of course a publicly signed SSL which is better, but not needed for PCI compliance

2)      Open Terminal Services Configuration. Edit the properties of the RDP-Tcp  Connection

      1.Click Edit and add the self-signed SSL certificate
      2.Set the encryption level to FIPS compliant
      3.Click APPLY
      4.Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
      5.Click APPLY again then OK
3)      Close all windows and all active RDP sessions

4)       Configure either your Windows Firewall restrict port by incoming IP Scope.

5)       Configure RDP to run on a different port to deter attackers.


http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

Hope it helps,
Hades666
0
 
Brad HoweDevOps ManagerCommented:
Hm... I don't think i was abandoned. There are solutions on this thread and the answer is that it is not possible with 2003. - Hades666
0
 
Brad HoweDevOps ManagerCommented:
Hm... I don't think i was abandoned. There are solutions on this thread and the answer is that it is not possible with 2003. - Hades666
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.