We help IT Professionals succeed at work.

Terminal server security

Olaf Berli
Olaf Berli asked
on
Planning to set up a terminal server for a customer. They have a small LAN with 3 or 4 users and is running an application (CRM) with sensitive data. The idea is to put this application on a terminal server (Win 2008 server) and give access to the users. The open part of the LAN could be a simple workgroup where they have Internet access and email only.

I've been told that I need a separate domain controller in order to take care of the therminal server security, and also that the terminal server services should not run on the domain controller. This means 2 servers in this small LAN. Is this so? Is it possible to get proper security without a domain controller?
Comment
Watch Question

Commented:
If you want to utilize AD security then yes. You will need to have to servers. It is strongly recommended that you not run TS (RDP) on the same box as the DC.
Other possibility is to restrict access to the CRM via the DB that maintains the data.

Commented:
Typo
You will need two have to servers.

Commented:
haha
You will need to have two servers.

It is a long day, sorry for the typo
Commented:
if you want to use windows, then yes, a DC will give you much more integrated security.

Do not run Remote desktop session host role (terminal services) on a DC.

You could run Citrix Xenserver (free) and that would allow effective segregation of your DC and terminal server.
Olaf BerliOwner

Author

Commented:
Thanks.
No good and secure way to have the CRM limit the access and take care of security (it uses only plain passwords and the database is a flat file system).

What kind of access control / security is possible without a domain controller - using only a 2008 terminal server (in a separate LAN) accessed via VPN from the Win Workgroup LAN?

Commented:
Hi omberli,

Unfortunately I don't know of any other solutions to your problem if you can't control access to the CRM via the DB or via Active Directory.
Commented:
As mentioned above you really need a second server for your AD, but there is no reason you can't virtualise them both on the same physical server, using VMWare or Citix Xen or even Hyper-V. But you will unfortunatly still be up for 2 Windows licences.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.