Windows Server 2008 R2 and terminal server and security

247computerdoctor used Ask the Experts™
hi i hope you are all well.

ok, i am going to build a Win 2008 r2 server. its primary function is to host terminal services for 4 users. mostly they will be using it over a LAN, but they will need to use it over a wan as well. the server is housed in a shared office building and the server and the 4 fixed client pc's are on a  vlan.

it will be set up as follows:

1) No domain, but server will serve dns and dhcp.
2) other network devices are 2 printers and 4 local clients - mix of pcs and laptops and win xp pro 32 bit and win 7 home premium and pro 64 bit
3) All pc's and server on Vlan on switch inside multiple occupancy building
4) Clients will not directly access server or use mapped drives or anything, but will use an rdp login even when on the LAN due to long history of bizarre sage related network problems.
5) users wont really use their actual PC's, all functions being delived by TS (office, email (hosted exchange), IE, web access etc)

the server does not do anything other than TS. i want to lock it down as tight as possible. im relatively new to TS and 2008 R2, so i need advice as to how to shut everything i dont need down to keep the network security tight.

one thing i have considered is running openvpn on the server, and simply disable all other ports from the outside world. then any of the users  who need to connect from the outside world  can use the vpn and then run RDP over it. (they will want to use other pc's that they own in different locations to connect to it occasionally)

so a few questions:

1) is the openvpn idea good? can it be done in a simpler way?
2) out of the box for 2008 R2, what can i disable to lock it down?
3) im considering putting trend micro worry free business v3 security on it - is this a good idea and will it protect the users when they are using their rdp sessions (so when someone uses IE on their RDP session for instance)
4) ive only got one NIC in it - do i need another?

if theres a better way please let me know!
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Andrew OakeleyConsultant
I would use terminal server gateway rather than using a VPN. It is simpler for the users as they do not ahve to connect a VPN before logging onto the server. For the small number of users you have this can be the same server as the terminal server. The traffic will be encrypted over SSL so it is secure

If you want to make it really secure use a self signed certificate, then only computers with the certificate installed can even make the initial connection to the TS Gateway.

Internally across the lan they can just access it on the normal RDP port 3389

Once you have enabled TS and users can log on the next trick is to stop them breaking anything. Fortunately 2008R2 is much better at stopping users saving things and changing things that they are not meant to. So you can pretty much leave the server as is and they are not likely to be able to break much, but this does not mean they won't poke their nose in where it does not belong. If the computer was on a domain I would suggest using Group Policy to hide C: and "show only specified control panel applets". This will not stop the determined user, but stops the casual user from seeing things they should not play with. You options in this regard on a standalone server are limited as if you chaneg the local policy it will also apply to you the administrator which can be annoying. You could look at mandatory profiles to get around this, but that's a whole different story. Gooogle it.

You only need one NIC, just forward port 443 though the firewall to the server for RDP to work over SSL via your TS Gateway. thsi will be the only port open to the outside world.

some kind of virus protection/web filtering is essential. Pick your flavour theyare all pretty much as good/bad as each other depending on who you talk to. If you have something you like and believe works, use it.


thanks for this. looks much simpler.

one potential issue is that the building they are in is shared by many companies- i may have to use a different port coming from wan side - and forward to port 443 on the server through their router - would there be a problem with this?

also, when i am installing security on the server, do i need to run as install mode (change user /install) before i install it?
Andrew OakeleyConsultant
Unfortunately I do not believe you can change the port. Must be the default 443
You cannot change the RD Gateway server's port and you cannot change the port the RD client attempts to connect to the gateway on.

However I believe this functionality will be available in windows 8.

What go you mean by installing security? You need to put the server into installing sny time you install an application. If you are just changing registry/policy settings you do not need to put it in install mode. You also do not need to put it in install mode when doung windows updates
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Andrew OakeleyConsultant
Can you get the ISP to route additional ip's to the current public ip. Then u can use one of those to forward 443.



hmm. what about running openvpn on it? can i get round the port issue there?

like the idea of an extra static ip - will check into that.

failing that, if i dont use rd gateway, can i just use rdp and change the port? could also add self signed cert into that to help with security?

thanks again!
Andrew OakeleyConsultant
Open VPN will get u around the port issue, unless the openvpn port is already in use or you change that port.

You could run ts on a different port also, and not use RDP gateway, though not recommended.


hi guys.

one last thing - what would happen if i moved the server out of that building where the clients are to another location(where i have full control over ports etc) - would i still need ports open through the building (now only containing the 4 clients) or would that work without having to do anything ?
You would not need to forward any ports in the network where the clients are, only where the server is


sorry about the delay in closing this. thanks for your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial