Security and Terminal Services

  • Thread starter Thread starter Joe Haas
  • Start date Start date
J

Joe Haas

the application server is up.

TS is working, but I keep getting attacked by a hacker.
I've changed all the passwords to Strong Security.

If I enable rras to be a VPN Server, it blocks terminal service clients.
I'm not sure how to open up port 3389

Maybe I should change TS default port as well.

How do I secure this Application server?

Joe
 
Do you have a firewall between the TS and the Public Internet? If not, your chances of locking down the machine sufficienty so it won't be hacked and is still useable are slim.

Setup a Firewall between the TS & Internet -> Allow only outbound traffic on the ports you "need", i.e. 80, 443, 25, 53 & 3389 (if you need to make outbound RDP Connections). -> Allow only inbound traffic on port 3389, and to other services you need to expose to the Public Internet, i.e. 25 (SMTP), 80 or 443 (HTTP(S)).

In my opinion changing the port Terminal Services listens on is not very effective, as the service is still listening. Any decent scanner will still detect that the terminal server service is running. This is not securing, but rather obscuring.

If you want to be really anal about securty you could setup a L2TP/IPSec VPN Connection, and control access via computer certificates, but this is a lot of work.

Please post back or contact me via my website if you need more help.

Patrick Rouse
Microsoft MVP - Terminal Server
http://www.workthin.com

----- Joe Haas wrote: -----

the application server is up.

TS is working, but I keep getting attacked by a hacker.
I've changed all the passwords to Strong Security.

If I enable rras to be a VPN Server, it blocks terminal service clients.
I'm not sure how to open up port 3389

Maybe I should change TS default port as well.

How do I secure this Application server?

Joe
 
OK, I can set up the router.
However, I was wondering... (and maybe I should post in RRAS area)

Can't this be done in RRAS?
If I set up RRAS as a VPN Server... It blocks everything but VPN.
I can't even ping the server. No Terminal Services. No Nothing.

If I undo RRAS and then reset it up as the default custom... everything
passes.
ping works, TS works etc.

How do I gain access to the list of ports that I specificaly allow and deny
in RRAS.
What does setting up as a VPN server do that diables everything?

Joe



Patrick Rouse said:
Do you have a firewall between the TS and the Public Internet? If not,
Click to expand...
your chances of locking down the machine sufficienty so it won't be hacked
and is still useable are slim.
Setup a Firewall between the TS & Internet -> Allow only outbound traffic
Click to expand...
on the ports you "need", i.e. 80, 443, 25, 53 & 3389 (if you need to make
outbound RDP Connections). -> Allow only inbound traffic on port 3389, and
to other services you need to expose to the Public Internet, i.e. 25 (SMTP),
80 or 443 (HTTP(S)).
In my opinion changing the port Terminal Services listens on is not very
Click to expand...
effective, as the service is still listening. Any decent scanner will still
detect that the terminal server service is running. This is not securing,
but rather obscuring.
If you want to be really anal about securty you could setup a L2TP/IPSec
Click to expand...
VPN Connection, and control access via computer certificates, but this is a
lot of work.
 
DO YOU HAVE A FIREWALL

If you have a firewall you use its' rules to determine which services to allow Internet Computers to use. If you use RRAS to setup a VPN Server then you'd need to connect to the server with a VPN client and open ports in your firewall to allow VPN traffic thru

You can securly connect to a Terminal Server w/o VPN by opening only port 3389 on your firewall, as the RDP protocol that Terminal Services uses is encrypted

Here's a picture of how to open port 3389 on a Linksys router (the most popular SOHO Broadband Router)
http://www.workthin.com/images/LinksysPortForwarding.JP

If your server is directly connected to the Internet via DSL or Cable modem w/o a firewall you will get hacked. The home page of my website has a decent (IMHO) description of the differences between VPN & Terminal Services

Patrick Rous
Microsoft MVP - Terminal Serve
http://www.workthin.co

----- Joe Haas wrote: ----

OK, I can set up the router
However, I was wondering... (and maybe I should post in RRAS area

Can't this be done in RRAS
If I set up RRAS as a VPN Server... It blocks everything but VPN
I can't even ping the server. No Terminal Services. No Nothing

If I undo RRAS and then reset it up as the default custom... everythin
passes
ping works, TS works etc

How do I gain access to the list of ports that I specificaly allow and den
in RRAS
What does setting up as a VPN server do that diables everything

Jo



Patrick Rouse said:
Do you have a firewall between the TS and the Public Internet? If not
Click to expand...
your chances of locking down the machine sufficienty so it won't be hacke
and is still useable are slimon the ports you "need", i.e. 80, 443, 25, 53 & 3389 (if you need to mak
outbound RDP Connections). -> Allow only inbound traffic on port 3389, an
to other services you need to expose to the Public Internet, i.e. 25 (SMTP)
80 or 443 (HTTP(S))effective, as the service is still listening. Any decent scanner will stil
detect that the terminal server service is running. This is not securing
but rather obscuringVPN Connection, and control access via computer certificates, but this is
lot of work
 
I have similar problem.
I have an isolated test network setup with VPN access, but once RRAS is up
and running on the machine, TS stops working.
There is NO firewall.

Thanks
R Giskard Reventlov

Patrick Rouse said:
DO YOU HAVE A FIREWALL?

If you have a firewall you use its' rules to determine which services to
Click to expand...
allow Internet Computers to use. If you use RRAS to setup a VPN Server then
you'd need to connect to the server with a VPN client and open ports in your
firewall to allow VPN traffic thru.
You can securly connect to a Terminal Server w/o VPN by opening only port
Click to expand...
3389 on your firewall, as the RDP protocol that Terminal Services uses is
encrypted.
Here's a picture of how to open port 3389 on a Linksys router (the most
Click to expand...
popular SOHO Broadband Router):
http://www.workthin.com/images/LinksysPortForwarding.JPG

If your server is directly connected to the Internet via DSL or Cable
Click to expand...
modem w/o a firewall you will get hacked. The home page of my website has a
decent (IMHO) description of the differences between VPN & Terminal
Services.
 
Back
Top