Solved

Terminal Services Security

Posted on 2012-03-12
8
290 Views
Last Modified: 2012-03-26
I have a remote web server that I access using Terminal Services.  I noticed (in the event log) that someone is attempting to access the machine.  There are numerous "invalid logon" attempts (every second).

This is a W2008 server.  What is the best way to secure this?   Is there a way to automatically block an IP that has repeated bad logons?

I need to be able to access this server from any location.  Is there a certificate method?
0
Comment
Question by:No1Coder
  • 5
  • 3
8 Comments
 
LVL 39

Expert Comment

by:als315
ID: 37710971
You can use certificate for authentification:
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
IP blocking is function of firewall, it is not possible in RDP settings.
0
 

Author Comment

by:No1Coder
ID: 37711940
If I setup the certificate, does that require something extra on the client computers I will be using?
0
 
LVL 39

Expert Comment

by:als315
ID: 37713128
You should install certificate on client:
http://www.petri.co.il/securing_rdp_communications.htm
May be this article will be interesting to you:
http://www.petri.co.il/securing-rdp-remote-desktop-and-terminal-server-connections.htm
This parameter was new for me:
Set an account lockout policy - There are tools that will use brute-force to guess passwords and log-on remotely. You cannot totally stop this, but you can minimized it by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time.
0
 

Author Comment

by:No1Coder
ID: 37729165
I setup account lockout policies but they don't seem to work for terminal service connections.  I am still seeing numerous invalid logon attempts every few seconds.  If the lockout was working, I would think it would lock the attemp out for 30 minutes.

These articles are fairly complex.  Event the wizards are pretty complex.  I'm afraid will will lock myself out, or lock out customer access to teh web sites.

I just want to be sure that terminal services connections are from me, although it can be fro multiple machines.

What is the best approach.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 39

Expert Comment

by:als315
ID: 37729290
As I've stated before - for successfull filtering of attacks you need firewall.
You can try to use internal server 2008 firewall, but usually some external (hardware or software) is used.
Here are some basics:
http://www.windowsnetworking.com/articles_tutorials/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html
You can block individual Ips:
http://tech.avivo.si/2011/04/how-to-block-remote-ip-address-hacker-attack-on-windows-2008-server/
0
 
LVL 39

Expert Comment

by:als315
ID: 37734290
0
 

Author Comment

by:No1Coder
ID: 37746584
I don;t think IP filtering will work.  The attacks seem to be coming from more tahn one IP address.

Would a VPN connection be more secure?  I could establish a VPN, and then do terminal services.  I would not have to open the port (3389) publically.
0
 
LVL 39

Accepted Solution

by:
als315 earned 500 total points
ID: 37746694
Good idea. This is usual setup.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now