Windows Server 2008 R2 and terminal server and security
hi i hope you are all well.
ok, i am going to build a Win 2008 r2 server. its primary function is to host terminal services for 4 users. mostly they will be using it over a LAN, but they will need to use it over a wan as well. the server is housed in a shared office building and the server and the 4 fixed client pc's are on a vlan.
it will be set up as follows:
1) No domain, but server will serve dns and dhcp.
2) other network devices are 2 printers and 4 local clients - mix of pcs and laptops and win xp pro 32 bit and win 7 home premium and pro 64 bit
3) All pc's and server on Vlan on switch inside multiple occupancy building
4) Clients will not directly access server or use mapped drives or anything, but will use an rdp login even when on the LAN due to long history of bizarre sage related network problems.
5) users wont really use their actual PC's, all functions being delived by TS (office, email (hosted exchange), IE, web access etc)
the server does not do anything other than TS. i want to lock it down as tight as possible. im relatively new to TS and 2008 R2, so i need advice as to how to shut everything i dont need down to keep the network security tight.
one thing i have considered is running openvpn on the server, and simply disable all other ports from the outside world. then any of the users who need to connect from the outside world can use the vpn and then run RDP over it. (they will want to use other pc's that they own in different locations to connect to it occasionally)
so a few questions:
1) is the openvpn idea good? can it be done in a simpler way?
2) out of the box for 2008 R2, what can i disable to lock it down?
3) im considering putting trend micro worry free business v3 security on it - is this a good idea and will it protect the users when they are using their rdp sessions (so when someone uses IE on their RDP session for instance)
4) ive only got one NIC in it - do i need another?
if theres a better way please let me know!
ok, i am going to build a Win 2008 r2 server. its primary function is to host terminal services for 4 users. mostly they will be using it over a LAN, but they will need to use it over a wan as well. the server is housed in a shared office building and the server and the 4 fixed client pc's are on a vlan.
it will be set up as follows:
1) No domain, but server will serve dns and dhcp.
2) other network devices are 2 printers and 4 local clients - mix of pcs and laptops and win xp pro 32 bit and win 7 home premium and pro 64 bit
3) All pc's and server on Vlan on switch inside multiple occupancy building
4) Clients will not directly access server or use mapped drives or anything, but will use an rdp login even when on the LAN due to long history of bizarre sage related network problems.
5) users wont really use their actual PC's, all functions being delived by TS (office, email (hosted exchange), IE, web access etc)
the server does not do anything other than TS. i want to lock it down as tight as possible. im relatively new to TS and 2008 R2, so i need advice as to how to shut everything i dont need down to keep the network security tight.
one thing i have considered is running openvpn on the server, and simply disable all other ports from the outside world. then any of the users who need to connect from the outside world can use the vpn and then run RDP over it. (they will want to use other pc's that they own in different locations to connect to it occasionally)
so a few questions:
1) is the openvpn idea good? can it be done in a simpler way?
2) out of the box for 2008 R2, what can i disable to lock it down?
3) im considering putting trend micro worry free business v3 security on it - is this a good idea and will it protect the users when they are using their rdp sessions (so when someone uses IE on their RDP session for instance)
4) ive only got one NIC in it - do i need another?
if theres a better way please let me know!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hmm....damn!
hmm. what about running openvpn on it? can i get round the port issue there?
like the idea of an extra static ip - will check into that.
failing that, if i dont use rd gateway, can i just use rdp and change the port? could also add self signed cert into that to help with security?
thanks again!
hmm. what about running openvpn on it? can i get round the port issue there?
like the idea of an extra static ip - will check into that.
failing that, if i dont use rd gateway, can i just use rdp and change the port? could also add self signed cert into that to help with security?
thanks again!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi guys.
one last thing - what would happen if i moved the server out of that building where the clients are to another location(where i have full control over ports etc) - would i still need ports open through the building (now only containing the 4 clients) or would that work without having to do anything ?
one last thing - what would happen if i moved the server out of that building where the clients are to another location(where i have full control over ports etc) - would i still need ports open through the building (now only containing the 4 clients) or would that work without having to do anything ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sorry about the delay in closing this. thanks for your help.
ASKER
one potential issue is that the building they are in is shared by many companies- i may have to use a different port coming from wan side - and forward to port 443 on the server through their router - would there be a problem with this?
also, when i am installing security on the server, do i need to run as install mode (change user /install) before i install it?