• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 665
  • Last Modified:

Restrict Terminal Services to particular IPs in SBS 2003

Hi all,

Yes, I know ... we do this through the Firewall ... but my firewall is not running because another program is running that might be using the NAT component (Ipnat.sys).

I read a bit, and tis happens if ISA is used, not our case, or if RAS is used. We use remove connections to allow VPN Users into the server using a range of IPs.

Is there a way to have it all, RAS and Windows firewall running so that I can limit TS to few IPs?

Thanks in advanced.
0
phermi
Asked:
phermi
3 Solutions
 
phermiAuthor Commented:
The_Dark1: Thanks, but not really.

What we have here is brutal-force attacks from folks in Europe trying o guess the Administrator password while programmatically attempting to connect using RDC.

The system is slowed down to the point of crawling and the logs are full of account locking issues.

All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection.

Plan B will be to change the RDP listening port
0
 
The_Dark1Commented:
What type of Firewall are you using?

My thought process would be to terminate the VPN's are the firewall level. And then allowing access to RDP From that point through... This way you protect your LAN.

I am referring to your modem/router as they have Firewall's in them too...
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
bbaoIT ConsultantCommented:
> All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection

normally you should set rules on the firewall and it seems you have known how to set the rules there??

however, on TS server you may also instantly restrict a specific IP or group of IPs by changing the routing table like this:

ROUTE ADD 1.2.3.4 mask 255.255.255.255 192.168.1.222 metric 1
ROUTE ADD 2.3.4.0 mask 255.255.255.0 192.168.1.222 metric 1

where 1.2.3.4 and 2.3.4.0/24 are the IPs to be banned, and 192.168.1.222 is an IP not existing on TS' local subnet (assume it is 192.168.1.0).

hope it helps,
bbao
0
 
phermiAuthor Commented:
The_Dark1: this is hosted server and ys there is a firewall (Cisco PIX 515R ) in front of it, but it is  not VPN capable.
0
 
greg wardSystems EngineerCommented:
access-list from-outside-coming-in deny ip 123.0.0.0 0.255.255.255 any eq <tsportnumber>
access-list from-outside-coming-in permit ip any any

the above would block the range 123.*.*.* using the port <tsportnumber>

from
http://www.netcraftsmen.net/resources/archived-articles/372.html

Greg
0
 
phermiAuthor Commented:
I apologize for the huge delay ....

I do not have access to change anyhting in the PIX and honestly, I was hopping for an easy way to say "do not accept TS request excpt from XX.yy.zz.ww.

I appreciate your efforts and I will assign points to both of you, not because I can fix my problem based on your suggestions, but for the fact that you did care about it,
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now