?
Solved

Terminal Server Security

Posted on 2015-01-29
10
Medium Priority
?
103 Views
Last Modified: 2015-03-05
Hey guys,

We have a bunch of terminal servers behind our gateway. Now, we have users from random places who connect.

How can i secure it against threats/hacks sinces it kind of "open"
0
Comment
Question by:Cobra25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 59

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 40578885
There is really nothing unique to TS. Any service on the internet (exchange servers, sharepoint extranet servers, etch) are "kind of open." So the same basic principles apply to all:

1) Complex passwords.
2) change passwords. Often.
3) Have windows lock accounts after a few incorrect attempts.
4) Monitor access. Block IPs that don't need it (are you really expecting someone to remote in from Russia? No? Block all Russian owned IP blocks!)
5) Employ IDS/IPS. At the very least you'll get notified of repeated failed logins (IDS) or you can have automatic blocks go up on repeated attempts (IPS.)
6) Consider MFA. It is relatively inexpensive now and easy to deploy.
7) PATCH!!!

Nothing groundbreaking in these suggestions, but you'd be surprised how many attacks they prevent. The highly publicized Sony attack? A weak password!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578946
You can also look at blocking access to the Terminal Server from the Internet altogether and force external users to connect via VPN first before they can log into the TS.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578952
Cliff what's MFA ?
0
ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40578965
Multi-factor Authentication. Things like smartcards, PIN FOBs, Fingerprint scanners. All fall under the MFA umbrella. For the SMB, SMS or smartphone apps are my current recommended options. Inexpensive and easy.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578966
Cliff, any cost effective options?
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 40579001
PhoneFactor - Per user       $1.40 per month (unlimited authentications) or Per authentication       $1.40 per 10 authentications
, Google Authenticator
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609387
Which is the easiest to setup and sync with AD?
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40609392
Azure MFA or Azure AD premium are very easy to set up and directory syncing is a key component of Azure AD.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609395
Do i have to an Azure cloud server?
0
 
LVL 59

Expert Comment

by:Cliff Galiher
ID: 40609402
No. You have to have an Azure account, but Azure has many services, not just virtual machines. Azure AD and MFA are their own products and don't require any VMs.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question