Avatar of 247computerdoctor
247computerdoctor
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Windows Server 2008 R2 and terminal server and security

hi i hope you are all well.

ok, i am going to build a Win 2008 r2 server. its primary function is to host terminal services for 4 users. mostly they will be using it over a LAN, but they will need to use it over a wan as well. the server is housed in a shared office building and the server and the 4 fixed client pc's are on a  vlan.

it will be set up as follows:

1) No domain, but server will serve dns and dhcp.
2) other network devices are 2 printers and 4 local clients - mix of pcs and laptops and win xp pro 32 bit and win 7 home premium and pro 64 bit
3) All pc's and server on Vlan on switch inside multiple occupancy building
4) Clients will not directly access server or use mapped drives or anything, but will use an rdp login even when on the LAN due to long history of bizarre sage related network problems.
5) users wont really use their actual PC's, all functions being delived by TS (office, email (hosted exchange), IE, web access etc)


the server does not do anything other than TS. i want to lock it down as tight as possible. im relatively new to TS and 2008 R2, so i need advice as to how to shut everything i dont need down to keep the network security tight.

one thing i have considered is running openvpn on the server, and simply disable all other ports from the outside world. then any of the users  who need to connect from the outside world  can use the vpn and then run RDP over it. (they will want to use other pc's that they own in different locations to connect to it occasionally)

so a few questions:

1) is the openvpn idea good? can it be done in a simpler way?
2) out of the box for 2008 R2, what can i disable to lock it down?
3) im considering putting trend micro worry free business v3 security on it - is this a good idea and will it protect the users when they are using their rdp sessions (so when someone uses IE on their RDP session for instance)
4) ive only got one NIC in it - do i need another?

if theres a better way please let me know!
Windows Server 2008

Avatar of undefined
Last Comment
247computerdoctor

8/22/2022 - Mon
SOLUTION
Andrew Oakeley

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
247computerdoctor

ASKER
thanks for this. looks much simpler.

one potential issue is that the building they are in is shared by many companies- i may have to use a different port coming from wan side - and forward to port 443 on the server through their router - would there be a problem with this?

also, when i am installing security on the server, do i need to run as install mode (change user /install) before i install it?
SOLUTION
Andrew Oakeley

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
247computerdoctor

ASKER
hmm....damn!

hmm. what about running openvpn on it? can i get round the port issue there?

like the idea of an extra static ip - will check into that.

failing that, if i dont use rd gateway, can i just use rdp and change the port? could also add self signed cert into that to help with security?

thanks again!
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
247computerdoctor

ASKER
hi guys.

one last thing - what would happen if i moved the server out of that building where the clients are to another location(where i have full control over ports etc) - would i still need ports open through the building (now only containing the 4 clients) or would that work without having to do anything ?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
247computerdoctor

ASKER
sorry about the delay in closing this. thanks for your help.