Solved

Can terminal server on w2k3 use rpc over http for outside connections?

Posted on 2010-08-21
18
749 Views
Last Modified: 2013-11-21
Thanks in advance for your help.

I currently have one ts up and users have to vpn before they rdp.  I want to eliminate the vpn with a secure connection.  

Thanks again.  
0
Comment
Question by:techlinden
  • 9
  • 3
  • 3
  • +1
18 Comments
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33493875
Take a read at this.
Essentially, you are opening Port 3389, change the security level to FIPS with is the US encryption standard and add an SSL certificate.
http://www.petri.co.il/securing_rdp_communications.htm
Cheers,
Hades666
0
 
LVL 1

Expert Comment

by:coolnoble
ID: 33494004
Please follow these steps:
- Assign Public & Static IP Address to TS Server
---- Add the public ip address - where your public ip address are being hosting (example: verizon; cogent; speakeasy; sprint, etc.)
- On your firewall - do the one-to-one NAT public ip address translates - private ip address
----- Open port 3389
- Make sure in your dns private ip address translates to ts.company.com

cheers
0
 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 250 total points
ID: 33494007
THe only problem with that solution is
A. you are not setting up FIP secure encryption.
B. You are not secure and open to many TS based session hacks.
C. non SSL.
I would never let  a client open 3389 without FIPS and SSL.  This is even a PCI requirement if you are planning for SAS or PCI compliance.
Hades666
 
0
 

Author Comment

by:techlinden
ID: 33494123
We are going for PCI compliance.  RDP to the open world is what i had before.  I changed to VPN for the time being but looking for another solution.  Will attempt the FIP solution.  

Thanks guys!
0
 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 250 total points
ID: 33495636
Hi,
Then TLS/SSL over HTTP with FIP compliance is all you need to configure.
Please read this article.
http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx
Once you have configured it in this fashion, you will pass a PCI compliance test. Just make sure to scan it once you have configured it.
Cheers,
Hades666
0
 

Author Comment

by:techlinden
ID: 33496785
Thanks guys! Is it possible for me to create a self signed CA without purchasing one?  Anyone have a hint on this process?

Thanks again
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33497645
Yes, You will need to install CA Certificate Authority on any member server and then generate a Certificate. This will at least get you going. If you don't want the certificate trust error, users will either need to install the Trust Root Certificate OR you will need to purchase a true SSL Cert.
http://www.petri.co.il/install_windows_server_2003_ca.htm
Cheers,
Hades666
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 250 total points
ID: 33502627
Just one thing here: by using certificates with TS you are still going over RDP. Simple as that.
Only 2008 has support for RDP over HTTPS that is probably what you were asking about (meaning only port TCP 443 would be required to be opened). This is called RDS Gateway and is not supported by 2003 TS.
Again, all you are doing is changing the RDP encryption, nothing else. Still RDP traffic and port TCP 3389 (or another if you change it on the TS registry) in use.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 30

Assisted Solution

by:Brad Howe
Brad Howe earned 250 total points
ID: 33502696
Agreed.
Port 3389 would need to open but to be PCI compliant in your given situation, TLS/SSL with FIPS is secure.
In 2k8 you would use RDS Gateway. The Gateway tunnels RDP over HTTPS on the outside.
Cheers.
Hades666
 
0
 
LVL 31

Assisted Solution

by:Cláudio Rodrigues
Cláudio Rodrigues earned 250 total points
ID: 33502745
Well it may be secure from a crypto standpoint. You are still exposing the RDP listener to the outside, what can still be exploited in several ways. That, regardless of the encryption used.
RDP over HTTPS is a different beast in this case and the listener is completely hidden behind the gateway (and actually never contacted by the endpoint, what does happen on the scenario where RDP is opened to the public, regardless of encryption).
So two VERY different approaches from a security standpoint.

Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33502821
Agreed, and many people will change the registry to flip the port to a different listening port.  I am not saying it is hte best option, but with the setup he has, this would be his only choice if he doesn't want the VPN connection.
As well, most hackers, usually only scan common ports either way. Only good hackers that are targeting a specific company will do more indepth checking on the endpoints and listeners.
Have a good one Caudio, Always a pleasure.
Best Regards,
Hades666
0
 

Author Comment

by:techlinden
ID: 33507305
A great discussion here guys :)

My main goal is to maintain security while eliminating the VPN.  RDP over https would be exactly what I had in my head.  So no support on 2k3, and no third party software I could achieve the same or similar results with?

But If i went with RDP, would I still fall under PCI compliance, and should i be able to sleep at night?

Thanks again guys
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33507496
Hi techlinden,

Yes, RDP of HTTPS is not supported in 2003, only 2008.

No, RDP with the settings above is PCI Compliant. Contact (http://www.qualys.com/) for a trial account to test yourself if you are unsure.  Forcing the use of SSL as a transport layer for RDP secure and encrypts the communication so from that point you are secure.

From PCI compliance audits, in most cases users disable external RDP access to a Front facing Server or enable a VPN. However, when RDP access is required you will need to correct the same errors below for and PCI test.

•Microsoft Windows Remote Desktop Protocol Server Man in the Middle Weakness (CVE-2005-1795)
•Terminal Server Encryption Level is not FIPS-140 compliant

During my consulting, I have helped companies restrict RDP to a specifc set of WAN IP’s, Secure the traffic and encrypt it.

1)      Create a self-signed SSL certificate or of course a publicly signed SSL which is better, but not needed for PCI compliance

2)      Open Terminal Services Configuration. Edit the properties of the RDP-Tcp  Connection

      1.Click Edit and add the self-signed SSL certificate
      2.Set the encryption level to FIPS compliant
      3.Click APPLY
      4.Set the Security layer to SSL (you will not see this as an option if the SSL cert is not configured and you haven’t applied the changes)
      5.Click APPLY again then OK
3)      Close all windows and all active RDP sessions

4)       Configure either your Windows Firewall restrict port by incoming IP Scope.

5)       Configure RDP to run on a different port to deter attackers.


http://technet.microsoft.com/en-us/library/cc782610(WS.10).aspx

Hope it helps,
Hades666
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33697764
Hm... I don't think i was abandoned. There are solutions on this thread and the answer is that it is not possible with 2003. - Hades666
0
 
LVL 30

Expert Comment

by:Brad Howe
ID: 33697765
Hm... I don't think i was abandoned. There are solutions on this thread and the answer is that it is not possible with 2003. - Hades666
0
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 250 total points
ID: 33697858
There are actually several third party products that will give you RDP over HTTPS on Windows 2003. One of them, 2x LoadBalancer was actually developed based on intellectual property acquired from me. :-)


Cláudio Rodrigues
Microsoft MVP - Remote Desktop Services
Citrix CTP
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now