Solved

Terminal Server Security

Posted on 2015-01-29
10
84 Views
Last Modified: 2015-03-05
Hey guys,

We have a bunch of terminal servers behind our gateway. Now, we have users from random places who connect.

How can i secure it against threats/hacks sinces it kind of "open"
0
Comment
Question by:Cobra25
10 Comments
 
LVL 57

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40578885
There is really nothing unique to TS. Any service on the internet (exchange servers, sharepoint extranet servers, etch) are "kind of open." So the same basic principles apply to all:

1) Complex passwords.
2) change passwords. Often.
3) Have windows lock accounts after a few incorrect attempts.
4) Monitor access. Block IPs that don't need it (are you really expecting someone to remote in from Russia? No? Block all Russian owned IP blocks!)
5) Employ IDS/IPS. At the very least you'll get notified of repeated failed logins (IDS) or you can have automatic blocks go up on repeated attempts (IPS.)
6) Consider MFA. It is relatively inexpensive now and easy to deploy.
7) PATCH!!!

Nothing groundbreaking in these suggestions, but you'd be surprised how many attacks they prevent. The highly publicized Sony attack? A weak password!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578946
You can also look at blocking access to the Terminal Server from the Internet altogether and force external users to connect via VPN first before they can log into the TS.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578952
Cliff what's MFA ?
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40578965
Multi-factor Authentication. Things like smartcards, PIN FOBs, Fingerprint scanners. All fall under the MFA umbrella. For the SMB, SMS or smartphone apps are my current recommended options. Inexpensive and easy.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578966
Cliff, any cost effective options?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 40579001
PhoneFactor - Per user       $1.40 per month (unlimited authentications) or Per authentication       $1.40 per 10 authentications
, Google Authenticator
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609387
Which is the easiest to setup and sync with AD?
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40609392
Azure MFA or Azure AD premium are very easy to set up and directory syncing is a key component of Azure AD.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609395
Do i have to an Azure cloud server?
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 40609402
No. You have to have an Azure account, but Azure has many services, not just virtual machines. Azure AD and MFA are their own products and don't require any VMs.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question