?
Solved

securing the TS web access server 2008 agains the attacks

Posted on 2011-09-16
5
Medium Priority
?
396 Views
Last Modified: 2012-05-12
Hi
Almost every day I check 100's of unsuccessful logon attempts on my terminal server. TS Web access on server 2008 ent edition.  Though I am using https/ssl certificate to encrypt my communications.  My clients access this ts web access via 'https:/server.domainname.com'
How can I set up my configurations so that any one trying to establish connection via 'brute force, tsgrinder, etc etc which use dictionary attacks of various combinations should be disconnected after a couple of tries.  I have also made unsuccessful logon attemps to 3 on this pariticular ts server local policy but still, attackers can establish and remain establish with this server.   THere must be a way where anyone using these malicious programs should be disconnected automatically after a couple of attempts.  How and where.  I am trying to make this terminal server fully secured.  Possible?  Domain/enterprise admins have to waste alot of time to overcome security issues when easy articles like:
http://www.ethicalhacker.net/content/view/106/24/
are available.
Help plz
0
Comment
Question by:amanzoor
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 6

Accepted Solution

by:
rpassero earned 2000 total points
ID: 36549316
The most effective way to accomplish this is with a third-party firewall/IPS in front of the server. If you have a limited budget something like a Cisco SA500-series with the IPS module would do the trick.
0
 
LVL 4

Author Comment

by:amanzoor
ID: 36550708
rpassero:
I have a firewall router cisco 2911, and its only forwarding ports 443 and 3389.  I am using access-list 101.  Is there anything more I can do with it? Help
0
 
LVL 6

Expert Comment

by:rpassero
ID: 36550870
As an aside, the account lockout policies configured in Active Directory need to be applied to user accounts and not to the OU holding the TS servers.

I always recommend licensing the security technology package on an ISR -- it greatly expands the device's capabilites as a firewall and intrusion prevention device, which is really what you're looking for here. Once you have that licensed you're going to want to configure things like stateful packet inspection and NetFlow.
0
 
LVL 4

Author Comment

by:amanzoor
ID: 36551246
Here is where I am applying the policy (please see the image)
I have the license for Netflow (it only shows me the packets).  May be to controll as you suggested I need security technology package on an ISR.  
Well I think I should look for a solution via things which I alredy have.  Please suggest if my policy is correctly applied.  I have applied it on a GPO on a terminal server OU.  RIght?
New-Picture--2-.bmp
0
 
LVL 6

Expert Comment

by:rpassero
ID: 36557222
If your Active Directory functional level is Server 2008, you can use what's call "fine-grained password and lockout policies," which can be applied to security groups; if it's anything prior to 2008 then the only password policy that matters what's defined in the default policy. Fine-grained password policies are applied to users and global security groups, not to OUs.

For information about how this works take a look at http://technet.microsoft.com/en-us/library/cc770842%28WS.10%29.aspx 
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question