Terminal Services Security
I have a remote web server that I access using Terminal Services. I noticed (in the event log) that someone is attempting to access the machine. There are numerous "invalid logon" attempts (every second).
This is a W2008 server. What is the best way to secure this? Is there a way to automatically block an IP that has repeated bad logons?
I need to be able to access this server from any location. Is there a certificate method?
This is a W2008 server. What is the best way to secure this? Is there a way to automatically block an IP that has repeated bad logons?
I need to be able to access this server from any location. Is there a certificate method?
ASKER
If I setup the certificate, does that require something extra on the client computers I will be using?
You should install certificate on client:
http://www.petri.co.il/securing_rdp_communications.htm
May be this article will be interesting to you:
http://www.petri.co.il/securing-rdp-remote-desktop-and-terminal-server-connections.htm
This parameter was new for me:
Set an account lockout policy - There are tools that will use brute-force to guess passwords and log-on remotely. You cannot totally stop this, but you can minimized it by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time.
http://www.petri.co.il/securing_rdp_communications.htm
May be this article will be interesting to you:
http://www.petri.co.il/securing-rdp-remote-desktop-and-terminal-server-connections.htm
This parameter was new for me:
Set an account lockout policy - There are tools that will use brute-force to guess passwords and log-on remotely. You cannot totally stop this, but you can minimized it by setting an account lockout policy. If someone tries to guess the password, then after a few guesses they will be locked out for a period of time.
ASKER
I setup account lockout policies but they don't seem to work for terminal service connections. I am still seeing numerous invalid logon attempts every few seconds. If the lockout was working, I would think it would lock the attemp out for 30 minutes.
These articles are fairly complex. Event the wizards are pretty complex. I'm afraid will will lock myself out, or lock out customer access to teh web sites.
I just want to be sure that terminal services connections are from me, although it can be fro multiple machines.
What is the best approach.
These articles are fairly complex. Event the wizards are pretty complex. I'm afraid will will lock myself out, or lock out customer access to teh web sites.
I just want to be sure that terminal services connections are from me, although it can be fro multiple machines.
What is the best approach.
As I've stated before - for successfull filtering of attacks you need firewall.
You can try to use internal server 2008 firewall, but usually some external (hardware or software) is used.
Here are some basics:
http://www.windowsnetworking.com/articles_tutorials/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html
You can block individual Ips:
http://tech.avivo.si/2011/04/how-to-block-remote-ip-address-hacker-attack-on-windows-2008-server/
You can try to use internal server 2008 firewall, but usually some external (hardware or software) is used.
Here are some basics:
http://www.windowsnetworking.com/articles_tutorials/configure-Windows-Server-2008-advanced-firewall-MMC-snap-in.html
You can block individual Ips:
http://tech.avivo.si/2011/04/how-to-block-remote-ip-address-hacker-attack-on-windows-2008-server/
Read this also:
http://support.microsoft.com/kb/2667402/en-us
http://support.microsoft.com/kb/2667402/en-us
ASKER
I don;t think IP filtering will work. The attacks seem to be coming from more tahn one IP address.
Would a VPN connection be more secure? I could establish a VPN, and then do terminal services. I would not have to open the port (3389) publically.
Would a VPN connection be more secure? I could establish a VPN, and then do terminal services. I would not have to open the port (3389) publically.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx
IP blocking is function of firewall, it is not possible in RDP settings.