Server 2003 RDP Authentication

Wondering if anyone knows a way to setup a Server 2003 Terminal Server to deny connections unless the client uses the common name on my installed SSL to connect. I don't want them to be able to connect by our static WAN IP address, only by the appropriate server name on the certificate installed on the TS.
chipsnetworkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
I can't think of a way to do that because SSL validation is handled by the client, not the server.

It sounds to me that you are looking to reduce the exposure of your terminal server to unauthorized users. I would look at PhoneFactor.com as an easy to install and low cost way to add multi factor authentication to your server.

Other options include putting the server behind Remote Desktop Gateway or VPN.
0
gurutcCommented:
Hi,

One workaround would be to change the default RDP port on your server.  If you're trying to prevent port scans from finding your TS or if you want to limit who knows about the server this will work.  Change the port on your server, and if you have a SOHO router, change the port on it also that forwards to your server.

If you do this, the new port will show as a listening port to any port scans, but the scanning will not identify what service the port supports.  I've done this to get to my servers via RDP when a site network is firewalling incoming RDP on the default port 3389.  I just configure TS to listen on the SSH port 22.  And any attempt to SSH to my server just fails because that's not what's listening on that port.

This will allow RDP to the WAN IP or the FQDN on your certificate, but only if you know that RDP has been reconfigured and only if you know what new port it's listening on.

Good Luck,

- gurutc
0
gurutcCommented:
Oops, forgot to post the KB link on how to do this:

http://support.microsoft.com/kb/306759

Regards,

- gurutc
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

chipsnetworkAuthor Commented:
Thanks. I'm familiar with that tactic, but unfortunately I couldn't use port 22 since I already have an SFTP server listening there. I could choose some other port rather than 3389.
0
gurutcCommented:
You sure can.  the more random the better!

- gurutc
0
SteveCommented:
RDP doesn't make the kind of checks you are asking for, so there is no way to achieve this by design.

workarounds are your only option, but there aren't many that would do what you want.

amending the port used is definitely more practical than trying to limit access to the FQDN only. pick a random port in above 10000 and you'll be looking pretty good.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gurutcCommented:
Points?  hmm.
0
chipsnetworkAuthor Commented:
It was an accidental click from my phone, not sure how to undo it. Sorry.
0
chipsnetworkAuthor Commented:
Do you know how? I would gladly correct it.
0
gurutcCommented:
It's cool.  Just wondered.

Is it working for you?

- gurutc
0
chipsnetworkAuthor Commented:
Yes. I did implement your suggestion. It will at least make the server not as blatantly visible. Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.