Solved

Terminal Server Security

Posted on 2015-01-29
10
82 Views
Last Modified: 2015-03-05
Hey guys,

We have a bunch of terminal servers behind our gateway. Now, we have users from random places who connect.

How can i secure it against threats/hacks sinces it kind of "open"
0
Comment
Question by:Cobra25
10 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40578885
There is really nothing unique to TS. Any service on the internet (exchange servers, sharepoint extranet servers, etch) are "kind of open." So the same basic principles apply to all:

1) Complex passwords.
2) change passwords. Often.
3) Have windows lock accounts after a few incorrect attempts.
4) Monitor access. Block IPs that don't need it (are you really expecting someone to remote in from Russia? No? Block all Russian owned IP blocks!)
5) Employ IDS/IPS. At the very least you'll get notified of repeated failed logins (IDS) or you can have automatic blocks go up on repeated attempts (IPS.)
6) Consider MFA. It is relatively inexpensive now and easy to deploy.
7) PATCH!!!

Nothing groundbreaking in these suggestions, but you'd be surprised how many attacks they prevent. The highly publicized Sony attack? A weak password!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578946
You can also look at blocking access to the Terminal Server from the Internet altogether and force external users to connect via VPN first before they can log into the TS.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578952
Cliff what's MFA ?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40578965
Multi-factor Authentication. Things like smartcards, PIN FOBs, Fingerprint scanners. All fall under the MFA umbrella. For the SMB, SMS or smartphone apps are my current recommended options. Inexpensive and easy.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578966
Cliff, any cost effective options?
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 79

Expert Comment

by:David Johnson, CD, MVP
ID: 40579001
PhoneFactor - Per user       $1.40 per month (unlimited authentications) or Per authentication       $1.40 per 10 authentications
, Google Authenticator
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609387
Which is the easiest to setup and sync with AD?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40609392
Azure MFA or Azure AD premium are very easy to set up and directory syncing is a key component of Azure AD.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609395
Do i have to an Azure cloud server?
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40609402
No. You have to have an Azure account, but Azure has many services, not just virtual machines. Azure AD and MFA are their own products and don't require any VMs.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now