Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Restrict Terminal Services to particular IPs in SBS 2003

Posted on 2010-11-20
7
639 Views
Last Modified: 2012-05-10
Hi all,

Yes, I know ... we do this through the Firewall ... but my firewall is not running because another program is running that might be using the NAT component (Ipnat.sys).

I read a bit, and tis happens if ISA is used, not our case, or if RAS is used. We use remove connections to allow VPN Users into the server using a range of IPs.

Is there a way to have it all, RAS and Windows firewall running so that I can limit TS to few IPs?

Thanks in advanced.
0
Comment
Question by:phermi
7 Comments
 
LVL 4

Expert Comment

by:The_Dark1
ID: 34182772
0
 

Author Comment

by:phermi
ID: 34182898
The_Dark1: Thanks, but not really.

What we have here is brutal-force attacks from folks in Europe trying o guess the Administrator password while programmatically attempting to connect using RDC.

The system is slowed down to the point of crawling and the logs are full of account locking issues.

All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection.

Plan B will be to change the RDP listening port
0
 
LVL 4

Accepted Solution

by:
The_Dark1 earned 200 total points
ID: 34182907
What type of Firewall are you using?

My thought process would be to terminate the VPN's are the firewall level. And then allowing access to RDP From that point through... This way you protect your LAN.

I am referring to your modem/router as they have Firewall's in them too...
0
Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 37

Assisted Solution

by:bbao
bbao earned 150 total points
ID: 34183365
> All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection

normally you should set rules on the firewall and it seems you have known how to set the rules there??

however, on TS server you may also instantly restrict a specific IP or group of IPs by changing the routing table like this:

ROUTE ADD 1.2.3.4 mask 255.255.255.255 192.168.1.222 metric 1
ROUTE ADD 2.3.4.0 mask 255.255.255.0 192.168.1.222 metric 1

where 1.2.3.4 and 2.3.4.0/24 are the IPs to be banned, and 192.168.1.222 is an IP not existing on TS' local subnet (assume it is 192.168.1.0).

hope it helps,
bbao
0
 

Author Comment

by:phermi
ID: 34184839
The_Dark1: this is hosted server and ys there is a firewall (Cisco PIX 515R ) in front of it, but it is  not VPN capable.
0
 
LVL 15

Assisted Solution

by:greg ward
greg ward earned 150 total points
ID: 34191611
access-list from-outside-coming-in deny ip 123.0.0.0 0.255.255.255 any eq <tsportnumber>
access-list from-outside-coming-in permit ip any any

the above would block the range 123.*.*.* using the port <tsportnumber>

from
http://www.netcraftsmen.net/resources/archived-articles/372.html

Greg
0
 

Author Comment

by:phermi
ID: 34303203
I apologize for the huge delay ....

I do not have access to change anyhting in the PIX and honestly, I was hopping for an easy way to say "do not accept TS request excpt from XX.yy.zz.ww.

I appreciate your efforts and I will assign points to both of you, not because I can fix my problem based on your suggestions, but for the fact that you did care about it,
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question