Solved

Restrict Terminal Services to particular IPs in SBS 2003

Posted on 2010-11-20
7
646 Views
Last Modified: 2012-05-10
Hi all,

Yes, I know ... we do this through the Firewall ... but my firewall is not running because another program is running that might be using the NAT component (Ipnat.sys).

I read a bit, and tis happens if ISA is used, not our case, or if RAS is used. We use remove connections to allow VPN Users into the server using a range of IPs.

Is there a way to have it all, RAS and Windows firewall running so that I can limit TS to few IPs?

Thanks in advanced.
0
Comment
Question by:phermi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Expert Comment

by:The_Dark1
ID: 34182772
0
 

Author Comment

by:phermi
ID: 34182898
The_Dark1: Thanks, but not really.

What we have here is brutal-force attacks from folks in Europe trying o guess the Administrator password while programmatically attempting to connect using RDC.

The system is slowed down to the point of crawling and the logs are full of account locking issues.

All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection.

Plan B will be to change the RDP listening port
0
 
LVL 4

Accepted Solution

by:
The_Dark1 earned 200 total points
ID: 34182907
What type of Firewall are you using?

My thought process would be to terminate the VPN's are the firewall level. And then allowing access to RDP From that point through... This way you protect your LAN.

I am referring to your modem/router as they have Firewall's in them too...
0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 37

Assisted Solution

by:bbao
bbao earned 150 total points
ID: 34183365
> All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection

normally you should set rules on the firewall and it seems you have known how to set the rules there??

however, on TS server you may also instantly restrict a specific IP or group of IPs by changing the routing table like this:

ROUTE ADD 1.2.3.4 mask 255.255.255.255 192.168.1.222 metric 1
ROUTE ADD 2.3.4.0 mask 255.255.255.0 192.168.1.222 metric 1

where 1.2.3.4 and 2.3.4.0/24 are the IPs to be banned, and 192.168.1.222 is an IP not existing on TS' local subnet (assume it is 192.168.1.0).

hope it helps,
bbao
0
 

Author Comment

by:phermi
ID: 34184839
The_Dark1: this is hosted server and ys there is a firewall (Cisco PIX 515R ) in front of it, but it is  not VPN capable.
0
 
LVL 15

Assisted Solution

by:greg ward
greg ward earned 150 total points
ID: 34191611
access-list from-outside-coming-in deny ip 123.0.0.0 0.255.255.255 any eq <tsportnumber>
access-list from-outside-coming-in permit ip any any

the above would block the range 123.*.*.* using the port <tsportnumber>

from
http://www.netcraftsmen.net/resources/archived-articles/372.html

Greg
0
 

Author Comment

by:phermi
ID: 34303203
I apologize for the huge delay ....

I do not have access to change anyhting in the PIX and honestly, I was hopping for an easy way to say "do not accept TS request excpt from XX.yy.zz.ww.

I appreciate your efforts and I will assign points to both of you, not because I can fix my problem based on your suggestions, but for the fact that you did care about it,
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction At 19:33 (UST) on Tuesday 21st September the long awaited email arrived with the subject title of “ANNOUNCING THE AVAILABILITY OF WINDOWS SBS 7 PREVIEW”.  It was time to drop whatever I was doing and dedicate as much bandwidth as possi…
You may have discovered the 'Compatibility View Settings' workaround for making your SBS 2008 Remote Web Workplace 'connect to a computer' section stops 'working around' after a Windows 10 client upgrade.  That can be fixed so it 'works around' agai…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question