Hello Chris,
If I can chime in here, you're asking for not that unusual
a solution, and partly because it is recognized that
Username/password security by itself has limited efficacy
and the way hacking technology is going, already at this
time it takes a very short period of time to crack typical
passwords, even "strong" passwords with freeware
sophisticated crackers.
So, the key to your situation is usually "security in
depth." Better security requires not only a "thing you
know" (password) but also a "thing you have" which can be
a number of different things... but Microsoft is promoting
certificate technology in general and smartcards in
particular. There are many alternatives to using a
smartcard (carried on the person like a credit card)...
you can also use USB tokens, embed certificates in
workstations, applications, etc.
The process would be that logging on to the network would
require the User (administrator) to logon with both a
username/password <and> submit her personal token, whether
it's stored on her machine, plugged into a USB port or
scanned through a reader.
Speaking of scanners... Biometrics avoids the use of
password issues altogether and is becoming very cheap. You
can now purchase fingerprint scanners for less than $100
and you can require a fingerprint instead to logon to your
most critical machines. The smartcard scanner would cost
about the same, cards will cost from pennies to under a
dollar depending on quantity. USB tokens will usually cost
less than $5 each.
Good luck on your solution!
Tony Su
Su Network Consulting
-----Original Message-----
Thank you very much Jeff, for taking the time to structure a very well
thoughtout answer. You have given me a few ideas if you don't mind
indulging.
The idea of locking the ports on the workstation is an excellent idea. Can
this be done in group policy?
Thanks again
Chris
You are correct that you could use a firewall to prevent certain computers
from reaching a specific port on a particular computer
or subnet or group
of
computers based upon other characteristics. The assumption I have is that
you are trying to allow users to have access to these
servers for their
apps
server purposes, but prevent them from taking
administrative control via
TS
access.
As Vera suggested, you are giving away a lot of ground
by assuming that
the
password of the Admin group has been lost, basically
because you are
asking
"if I assume that users in the network have already gained full
administrative rights to a computer, is there a way I can block one port
from access?" That's not a very deep thought. You are now discounting all
of the workarounds available to the user with administrative rights to
defeat whatever security you now have introduced specific to the TS logon,
but not specific to the one port! With Admin rights, a
connection via
WMI,
the user potentially can make hash of any plan you have
to keep them out
of
that machine, including resetting the TS port. It depends upon the
determination that user has.
If you were to put a firewall on the TS or in front of it, port filtering
would work to do what you want, provided that the
firewall properly takes
an
authentication that you can verify in order to open/close that port. You
might have more luck by locking down the outbound ports
at the local
station
that connect to TS rather than blocking the TS servers
themselves because
if
the assumption is that "no one on this subnet should have TS control
access", you could firewall out the TS control from the location that is
unilaterally not to use TS sessions, rather than firewalling a conditional
basis at the TS. You might even be able to use the TCP/IP port filters
native to the OS to do this at each workstation, assuming that you have
blocked the user from having access to the Administrator control at their
workstation.
I think the question you ask is a fair question, it's a
reasonable idea,
but
it's not operating at a level with which a generic answer is easily
provided. By that I mean, if you have an office with 1 or 2 servers, and
that's where this question is coming, you will have a different scale of
answer than if you have 20-30 servers to protect. If
you have VLAN
switches,
multiple sites, routed subnets and multilevel browsing and security zones,
this means a completely different level of attack required as well as a
level of defense.
network manager
would
like this type of security in place (just in case -
if you like!). Any
ideas
