Sonicwall TZ200 Set up port 3389 for exclusive access

I need to give my software vendor the ability to access our Windows 2003 Small Business Server so that he can work on his program. He had been getting access through Terminal Services, but so did a friggin hacker using a brute force type of attack to try and log in.

I removed Terminal Services from our Sonicwall TZ200 and no more hackers, but no access for the software vendor. I know using something like Teamviewer would allow him to work on his software, but he says that he won't be able to do everything he needs to do that way. I don't see what the problem would be - other than the fact that I think he wants to work at night when nobody would be in our office to give him access.

My question: Is there a way that the TZ200 can be set up to give the vendor and only the vendor access to terminal services through port 3389, or would I need to set up something like a VPN with them? We are a small company with only one office, so we have not needed to set up any inter-office connections before and I don't see a need to do so in the future.

Thanks in advance for any assistance,

Mike
mmed810132Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Blue Street TechLast KnightCommented:
Hi mmed810132,

It's a best practice to setup a VPN, especially since you have already been compromised. Opening port 3389, is not advisable even since having it open is targeted and pretty simple to exploit.

Once you setup VPN you can lock down his access to a specific IP based resources and managing this for other vendors will be easier and more secure.

Let me know if you need step by step instructions and I can provide that if need be.
0
systems_QuixoteCommented:
Vendors will typically have static ip addresses for the offices they work out of. Filter down the RDP (Terminal Server) access to only his IP, hackers will not see that port open. Port will only be available for your vendor, no VPN needed.

This is the way we have vendors connect in and it passes PCI compliance scans.
0
mmed810132Author Commented:
Hi diverseit,

Thanks for the reply. Please excuse my newbie-type questions, but I want to make sure I am understanding what we're doing so that I don't screw anything up.

By saying "lock down his access to a specific IP based resource", do you mean we are setting his IP address as the only one able to access our server via this VPN tunnel? How would this be used by other vendors (although as of now, I would probably be the only one who might use it)?

If you wouldn't mind, step-by-step instructions would be great. That is how I find I learn best.

Again, thanks for your reply,

Mike
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Blue Street TechLast KnightCommented:
Hi Mike,

No question is a bad question here on EE!

I will reply when I get in front of a computer...I'm on a mobile right now.
0
Blue Street TechLast KnightCommented:
Even if you filter port 3389 to specific IPs its still susceptible to man in the middle attack. I still would recommend against opening port 3389 on your firewall...it's not a security best practice.

Anyway, to answer your question, you would create an Object Address for the Server (or IP based resource, e.g. workstation, etc.). That way when the vendor logs into the VPN he will only have access to that IP based resource, e.g. server, workstation or whatever it is he needs access to. If it is more than one object you can simply create a group.

Does that make sense?

Here is the step-by-step.

1. Setup your Address Object(s) (this is the resources the vendor will have access to, e.g. server, workstation, etc.)
Create the Address Object for the resource Host (192.168.x.x)
Go to Network > Address Objects.
Click on View Style & click Custom Address Objects.
Under Address Objects, click Add...
Type in the Name (what ever you want to identify the object), Zone Assignment (select LAN), Type (select Host), IP Address (192.168.x.x).
Click OK.

2.a. Here is how to setup a VPN using GVC: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7507

2.b. If you want to setup an SSL-VPN, here's how: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=6461

Let me know if you need any clarification & how it goes!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
systems_QuixoteCommented:
Here is what I would do:

Create Address Object for your Internal Server:
Go into NetworkAddress ObjectsAdd under Address Objects
Server Name, LAN, HOST, (IP Address_Internal IP address of the Server)

Create address object for your "Vendor's" Public IP address. You can find out what his IP address is by them going to www.whatismyip.com
Go into NetworkAddress ObjectsAdd under Address Objects
Vendor Name, WAN, HOST, (IP Address_Public IP address from www.whatismyip.com)
Create as many of these you need for each Vendor that needs to access your TS.

If you want to add multiple public IP addresses (or multiple vendors) for any one server go into NetworkAddress ObjectsAdd under Address Groups > Add Group
Here you will create a name for the group and then select all the public IPs (Vendors) you want to assign to that server.

Lastly create address objects for your WAN IPs assigned to you by your ISP the same way.
Name: (IP ADDRESS just for easy identification), WAN, Host, WAN IP.

Then create your NAT policy to re-direct traffic to that internal server you created on the first Address group.
Go to NetworkNAT PoliciesAdd > For Source use (ANY + Original), for Destination (SELECT YOUR ADDRESS OBJECT for your Public IP; the public IP you are giving your vendor so he can Terminal Server into you + Translated: The address group for the internal server they are to manage), for Service user ANY + Original, Inbound Interface use X1, outbound use ANY.
The reason you do not need to be specific on the services or vendor IP here is because the firewall rule is the one that will be processes before the NAT rule on the firewall. So no need to get crazy on specifying ports or IPs here.

Then go and create your Firewall rule that allows port 3389 from WAN to LAN.  Here you will use the vendors public IP under the SOURCE, DESTINATION will be your Public IP you are giving your vendor to access your server, SERVICE will be only for port 3389, ACTION is to allow.

This configuration here is safe enough for PCI compliance.
0
mmed810132Author Commented:
Thanks for the info. Yes, it makes sense, especially not opening up port 3389 at all.

I will be back in the office tomorrow and will then attempt this setup. I will post back and let you know what happened.

Thanks for the KB links - I know I will be searching and printing through their knowledge bases!
0
Blue Street TechLast KnightCommented:
Sounds good. I'll be here!
0
mmed810132Author Commented:
It looks like I won't be able to get to this until tomorrow - there are problems at the vendors end and I won't be able to get to the person who handles these things until then.

I have, however, set up my side with your help. Hopefully by this time tomorrow I'll be all set up. Thanks for your assistance and patience.
0
Blue Street TechLast KnightCommented:
My pleasure. Just let me know when you're ready and we'll get'r done!
0
Blue Street TechLast KnightCommented:
Any update on this?
0
mmed810132Author Commented:
Sorry for the delay - I've been dealing with hardware failures on both servers as well as battery backup failures and workstation problems.

I have scheduled a 10AM session tomorrow with my vendor to hopefully get this done.
0
Blue Street TechLast KnightCommented:
ooo ouch! Hope everything gets settled for you. I'll be here when you're ready!
0
Gary ColtharpSr. Systems EngineerCommented:
This is small business server so why isnt your vendor just using remote web workplace? It doesnt have the same vulernabilities as a direct port translate due to wrapping the connection through RPC over HTTP.

HTH

Gary
0
Cris HannaSr IT Support EngineerCommented:
You listed this question in the SBS zone...are you using SBS and if so, what version?
0
Blue Street TechLast KnightCommented:
@CrisHanna_MVP - mmed810132 is using
Windows 2003 Small Business Server
0
mmed810132Author Commented:
Step-by-step instructions are the best for us newbies!
0
Blue Street TechLast KnightCommented:
I'm glad I could help. Thanks for the points!
0
Blue Street TechLast KnightCommented:
mmed810132,

I'm curious why you selected comment http:#a39458678 as an answer too when you said,
Yes, it makes sense, especially not opening up port 3389 at all.
That comment recommends opening port 3389, which is a vulnerability. It also assumes the vendor has a static Public IP. If the vendor uses a dynamic Public IP and/or the vendor works from multiple locations that solution will not only leave you compromised but it will fail to provide the vendor access.

Thoughts?
0
mmed810132Author Commented:
@diverseit,

There is a very real explanation for why I recommended it - I was at work, being stopped every 10 seconds (or so it seemed), so when I was selecting the answer, I thought I was selecting your answer. I saw the step-by-step list and clicked that answer thinking it was your answer. Because I was in such a hurry, I did not realize I had already selected your answer and I did not check myself before I responded.

Closing off port 3389 has stopped the brute force attempts and I have not had any problems since closing it. It was the best and easiest thing to do.

So the short version of my answer - I did it because I was a D.E.U. (Dumb End User).

Nobody to blame but myself!
0
Blue Street TechLast KnightCommented:
Ok - no problem! Thanks for getting back to me on this.

With your explanation, I am going to remove comment http:#a39458678 as part your solution so other EE users in the future don't get confused.

Thanks.
0
mmed810132Author Commented:
No problem - sorry I screwed up in the first place!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.