Solved

Restrict Terminal Services to particular IPs in SBS 2003

Posted on 2010-11-20
7
643 Views
Last Modified: 2012-05-10
Hi all,

Yes, I know ... we do this through the Firewall ... but my firewall is not running because another program is running that might be using the NAT component (Ipnat.sys).

I read a bit, and tis happens if ISA is used, not our case, or if RAS is used. We use remove connections to allow VPN Users into the server using a range of IPs.

Is there a way to have it all, RAS and Windows firewall running so that I can limit TS to few IPs?

Thanks in advanced.
0
Comment
Question by:phermi
7 Comments
 
LVL 4

Expert Comment

by:The_Dark1
ID: 34182772
0
 

Author Comment

by:phermi
ID: 34182898
The_Dark1: Thanks, but not really.

What we have here is brutal-force attacks from folks in Europe trying o guess the Administrator password while programmatically attempting to connect using RDC.

The system is slowed down to the point of crawling and the logs are full of account locking issues.

All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection.

Plan B will be to change the RDP listening port
0
 
LVL 4

Accepted Solution

by:
The_Dark1 earned 200 total points
ID: 34182907
What type of Firewall are you using?

My thought process would be to terminate the VPN's are the firewall level. And then allowing access to RDP From that point through... This way you protect your LAN.

I am referring to your modem/router as they have Firewall's in them too...
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 37

Assisted Solution

by:bbao
bbao earned 150 total points
ID: 34183365
> All I wanted was to be able to set rules in the firewall so only certain IPs will be accepted for RDC connection

normally you should set rules on the firewall and it seems you have known how to set the rules there??

however, on TS server you may also instantly restrict a specific IP or group of IPs by changing the routing table like this:

ROUTE ADD 1.2.3.4 mask 255.255.255.255 192.168.1.222 metric 1
ROUTE ADD 2.3.4.0 mask 255.255.255.0 192.168.1.222 metric 1

where 1.2.3.4 and 2.3.4.0/24 are the IPs to be banned, and 192.168.1.222 is an IP not existing on TS' local subnet (assume it is 192.168.1.0).

hope it helps,
bbao
0
 

Author Comment

by:phermi
ID: 34184839
The_Dark1: this is hosted server and ys there is a firewall (Cisco PIX 515R ) in front of it, but it is  not VPN capable.
0
 
LVL 15

Assisted Solution

by:greg ward
greg ward earned 150 total points
ID: 34191611
access-list from-outside-coming-in deny ip 123.0.0.0 0.255.255.255 any eq <tsportnumber>
access-list from-outside-coming-in permit ip any any

the above would block the range 123.*.*.* using the port <tsportnumber>

from
http://www.netcraftsmen.net/resources/archived-articles/372.html

Greg
0
 

Author Comment

by:phermi
ID: 34303203
I apologize for the huge delay ....

I do not have access to change anyhting in the PIX and honestly, I was hopping for an easy way to say "do not accept TS request excpt from XX.yy.zz.ww.

I appreciate your efforts and I will assign points to both of you, not because I can fix my problem based on your suggestions, but for the fact that you did care about it,
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question