Link to home
Start Free TrialLog in
Avatar of Jay_Ratansi
Jay_Ratansi

asked on

Securing RDP connections

scenario :
-windows2008 standard based terminal server using www.xpunlimited.com software;
-authorised remote branch users connecting from sites with static public ip;
-authorised remote home users connecting from locations with dynamic ip;

How can we secure the rdp server to prevent eg. branch users who are aware of server address & login details from  connecting from outside the branch which they are not authorised to do? is it possible to hide server address & login details from barnch users?

are there any rdp clients with say card-readers?

any suggestions?

Thanks
Jay
ASKER CERTIFIED SOLUTION
Avatar of serchlop
serchlop
Flag of Mexico image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of Dirk Kotte
Dirk Kotte
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Robin CM
Robin CM
Flag of United Kingdom of Great Britain and Northern Ireland image
Is two servers an option? One only visible to the branch that branch users can connect to, and one externally visible that only home users can connect to? (connections controlled via membership of Remote Desktop Users group).
Avatar of coolfiger
coolfiger
Flag of Trinidad and Tobago image
My reccomendation would be to give the authorised a ssl sertificate which would allow them to connect. This certificate would be in their trusted root store.

Without a certificate even if they have a user and password or address they wont be able to conenct

http://www.petri.co.il/securing_rdp_communications.htm

Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
Looking at the article coolfiger posted, that does not cover the server authenticating the client as an authorized device. I don't believe it solves the problem, though requiring a client certificate should work. It is just that the article doesn't cover that.
SOLUTION
Avatar of coolfiger
coolfiger
Flag of Trinidad and Tobago image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of kevinhsieh
kevinhsieh
Flag of United States of America image
The Technet article also talks about authenticating the RD Session host, not the client.

I think that authenticating a home user such that a branch user can't access like a home user can be tricky...unless the branch users aren't also home users. You can have the branch users connect directly as usual. You can have home users access via a Remote Desktop gateway. The Gateway service allows you to specify which users can connect to the gateway, and what servers they can then access. Simply only allow the authorized home users to connect to the gateway. I have no idea how that integrates with the xp unlimited software.
Avatar of Jay_Ratansi
Jay_Ratansi

ASKER

I've come across http://remotedesktopmanager.com/ which allows for hiding server address, user logon details etc.

Any other similar products? simpler products?

thanks
Jay Ratansi
SOLUTION
Avatar of coolfiger
coolfiger
Flag of Trinidad and Tobago image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial