Solved

Terminal Server Security

Posted on 2015-01-29
10
90 Views
Last Modified: 2015-03-05
Hey guys,

We have a bunch of terminal servers behind our gateway. Now, we have users from random places who connect.

How can i secure it against threats/hacks sinces it kind of "open"
0
Comment
Question by:Cobra25
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40578885
There is really nothing unique to TS. Any service on the internet (exchange servers, sharepoint extranet servers, etch) are "kind of open." So the same basic principles apply to all:

1) Complex passwords.
2) change passwords. Often.
3) Have windows lock accounts after a few incorrect attempts.
4) Monitor access. Block IPs that don't need it (are you really expecting someone to remote in from Russia? No? Block all Russian owned IP blocks!)
5) Employ IDS/IPS. At the very least you'll get notified of repeated failed logins (IDS) or you can have automatic blocks go up on repeated attempts (IPS.)
6) Consider MFA. It is relatively inexpensive now and easy to deploy.
7) PATCH!!!

Nothing groundbreaking in these suggestions, but you'd be surprised how many attacks they prevent. The highly publicized Sony attack? A weak password!
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40578946
You can also look at blocking access to the Terminal Server from the Internet altogether and force external users to connect via VPN first before they can log into the TS.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578952
Cliff what's MFA ?
0
Office 365 Training for Admins

Learn how to provision tenants, synchronize on-premise Active Directory, and implement Single Sign-On with these master level course.  Only from Platform Scholar

 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40578965
Multi-factor Authentication. Things like smartcards, PIN FOBs, Fingerprint scanners. All fall under the MFA umbrella. For the SMB, SMS or smartphone apps are my current recommended options. Inexpensive and easy.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40578966
Cliff, any cost effective options?
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 40579001
PhoneFactor - Per user       $1.40 per month (unlimited authentications) or Per authentication       $1.40 per 10 authentications
, Google Authenticator
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609387
Which is the easiest to setup and sync with AD?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40609392
Azure MFA or Azure AD premium are very easy to set up and directory syncing is a key component of Azure AD.
0
 
LVL 4

Author Comment

by:Cobra25
ID: 40609395
Do i have to an Azure cloud server?
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40609402
No. You have to have an Azure account, but Azure has many services, not just virtual machines. Azure AD and MFA are their own products and don't require any VMs.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question