Solved

Can terminal server on w2k3 use rpc over http for outside connections?

Posted on 2010-08-21
18
759 Views
Last Modified: 2013-11-21
Thanks in advance for your help.

I currently have one ts up and users have to vpn before they rdp.  I want to eliminate the vpn with a secure connection.  

Thanks again.  
0
Comment
Question by:techlinden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 3
  • +1
18 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33493875
Take a read at this.
Essentially, you are opening Port 3389, change the security level to FIPS with is the US encryption standard and add an SSL certificate.
http://www.petri.co.il/securing_rdp_communications.htm 
Cheers,
Hades666
0
 
LVL 1

Expert Comment

by:coolnoble
ID: 33494004
Please follow these steps:
- Assign Public & Static IP Address to TS Server
---- Add the public ip address - where your public ip address are being hosting (example: verizon; cogent; speakeasy; sprint, etc.)
- On your firewall - do the one-to-one NAT public ip address translates - private ip address
----- Open port 3389
- Make sure in your dns private ip address translates to ts.company.com

cheers
0
 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 250 total points
ID: 33494007
THe only problem with that solution is
A. you are not setting up FIP secure encryption.
B. You are not secure and open to many TS based session hacks.
C. non SSL.
I would never let  a client open 3389 without FIPS and SSL.  This is even a PCI requirement if you are planning for SAS or PCI compliance.
Hades666
 
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 

Author Comment

by:techlinden
ID: 33494123
We are going for PCI compliance.  RDP to the open world is what i had before.  I changed to VPN for the time being but looking for another solution.  Will attempt the FIP solution.  

Thanks guys!
0
 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 250 total points
ID: 33495636
Hi,
Then TLS/SSL over HTTP with FIP compliance is all you need to configure.
Please read this article.
http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx
Once you have configured it in this fashion, you will pass a PCI compliance test. Just make sure to scan it once you have configured it.
Cheers,
Hades666
0
 

Author Comment

by:techlinden
ID: 33496785
Thanks guys! Is it possible for me to create a self signed CA without purchasing one?  Anyone have a hint on this process?

Thanks again
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33497645
Yes, You will need to install CA Certificate Authority on any member server and then generate a Certificate. This will at least get you going. If you don't want the certificate trust error, users will either need to install the Trust Root Certificate OR you will need to purchase a true SSL Cert.
http://www.petri.co.il/install_windows_server_2003_ca.htm
Cheers,
Hades666
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 250 total points
ID: 33502627
Just one thing here: by using certificates with TS you are still going over RDP. Simple as that.
Only 2008 has support for RDP over HTTPS that is probably what you were asking about (meaning only port TCP 443 would be required to be opened). This is called RDS Gateway and is not supported by 2003 TS.
Again, all you are doing is changing the RDP encryption, nothing else. Still RDP traffic and port TCP 3389 (or another if you change it on the TS registry) in use.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 250 total points
ID: 33502696
Agreed.
Port 3389 would need to open but to be PCI compliant in your given situation, TLS/SSL with FIPS is secure.
In 2k8 you would use RDS Gateway. The Gateway tunnels RDP over HTTPS on the outside.
Cheers.
Hades666
 
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 250 total points
ID: 33502745
Well it may be secure from a crypto standpoint. You are still exposing the RDP listener to the outside, what can still be exploited in several ways. That, regardless of the encryption used.
RDP over HTTPS is a different beast in this case and the listener is completely hidden behind the gateway (and actually never contacted by the endpoint, what does happen on the scenario where RDP is opened to the public, regardless of encryption).
So two VERY different approaches from a security standpoint.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33502821
Agreed, and many people will change the registry to flip the port to a different listening port.  I am not saying it is hte best option, but with the setup he has, this would be his only choice if he doesn't want the VPN connection.
As well, most hackers, usually only scan common ports either way. Only good hackers that are targeting a specific company will do more indepth checking on the endpoints and listeners.
Have a good one Caudio, Always a pleasure.
Best Regards,
Hades666
0
 

Author Comment

by:techlinden
ID: 33507305
A great discussion here guys :)

My main goal is to maintain security while eliminating the VPN.  RDP over https would be exactly what I had in my head.  So no support on 2k3, and no third party software I could achieve the same or similar results with?

But If i went with RDP, would I still fall under PCI compliance, and should i be able to sleep at night?

Thanks again guys
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33507496
Hi techlinden,

Yes, RDP of HTTPS is not supported in 2003, only 2008.

No, RDP with the settings above is PCI Compliant. Contact (http://www.qualys.com/) for a trial account to test yourself if you are unsure.  Forcing the use of SSL as a transport layer for RDP secure and encrypts the communication so from that point you are secure.

From PCI compliance audits, in most cases users disable external RDP access to a Front facing Server or enable a VPN. However, when RDP access is required you will need to correct the same errors below for and PCI test.

•Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
•Terminal Server Encryption Level is not FIPS-140 compliant

During my consulting, I have helped companies restrict RDP to a specifc set of WAN IP’s, Secure the traffic and encrypt it.

1)      Create a self-signed SSL certificate or of course a publicly signed SSL which is better, but not needed for PCI compliance

2)      Open Terminal Services Configuration. Edit the properties of the RDP-Tcp  Connection

      1.Click Edit and add the self-signed SSL certificate
      2.Set the encryption level to FIPS compliant
      3.Click APPLY
      4.Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
      5.Click APPLY again then OK
3)      Close all windows and all active RDP sessions

4)       Configure either your Windows Firewall restrict port by incoming IP Scope.

5)       Configure RDP to run on a different port to deter attackers.


http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

Hope it helps,
Hades666
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33697764
Hm... I don't think i was abandoned. There are solutions on this thread and the answer is that it is not possible with 2003. - Hades666
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33697765
Hm... I don't think i was abandoned. There are solutions on this thread and the answer is that it is not possible with 2003. - Hades666
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 250 total points
ID: 33697858
There are actually several third party products that will give you RDP over HTTPS on Windows 2003. One of them, 2x LoadBalancer was actually developed based on intellectual property acquired from me. :-)


Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question