hi i hope you are all well.
ok, i am going to build a Win 2008 r2 server. its primary function is to host terminal services for 4 users. mostly they will be using it over a LAN, but they will need to use it over a wan as well. the server is housed in a shared office building and the server and the 4 fixed client pc's are on a vlan.
it will be set up as follows:
1) No domain, but server will serve dns and dhcp.
2) other network devices are 2 printers and 4 local clients - mix of pcs and laptops and win xp pro 32 bit and win 7 home premium and pro 64 bit
3) All pc's and server on Vlan on switch inside multiple occupancy building
4) Clients will not directly access server or use mapped drives or anything, but will use an rdp login even when on the LAN due to long history of bizarre sage related network problems.
5) users wont really use their actual PC's, all functions being delived by TS (office, email (hosted exchange), IE, web access etc)
the server does not do anything other than TS. i want to lock it down as tight as possible. im relatively new to TS and 2008 R2, so i need advice as to how to shut everything i dont need down to keep the network security tight.
one thing i have considered is running openvpn on the server, and simply disable all other ports from the outside world. then any of the users who need to connect from the outside world can use the vpn and then run RDP over it. (they will want to use other pc's that they own in different locations to connect to it occasionally)
so a few questions:
1) is the openvpn idea good? can it be done in a simpler way?
2) out of the box for 2008 R2, what can i disable to lock it down?
3) im considering putting trend micro worry free business v3 security on it - is this a good idea and will it protect the users when they are using their rdp sessions (so when someone uses IE on their RDP session for instance)
4) ive only got one NIC in it - do i need another?
if theres a better way please let me know!