Security using terminal services

[Rich]

Hello,

In my environment, all Win2K servers have terminal services running to allow
for remote administration. In this situation, we have several application
servers which require enhanced security. We don't want anyone to be able to
reach these servers using terminal services unless the terminal services
session is initiated from specified servers. I know that you can specify
specific ports when initiating the terminal services session. Can anyone
help me to understand this a little further and better understand how to
configure this?

TIA,
Rich

 

[Pegasus \(MVP\)]

Hello,

In my environment, all Win2K servers have terminal services running to allow
for remote administration. In this situation, we have several application
servers which require enhanced security. We don't want anyone to be able to
reach these servers using terminal services unless the terminal services
session is initiated from specified servers. I know that you can specify
specific ports when initiating the terminal services session. Can anyone
help me to understand this a little further and better understand how to
configure this?

TIA,
Rich

Changing the port number does not prevent anyone from starting
a TS while on the wrong machine. It only makes it a little harder,
because he has to know the port number.

To change the port number on TS host, modify this registry value,
then reboot the TS host:
HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\Por
tNumber

To start a Remote Desktop session, type this command on
the RDP client:

mstsc /v:ServerName:xxxxx

where xxxxx is the decimal port number you set on the server.
Its default is 3389.

You could also use an RDP profile file that contains all the
relevant connection details. See here for further info:
http://dev.remotenetworktechnology.com/ts/rdpfile.htm

 

[Herb Martin]

Hello,

In my environment, all Win2K servers have terminal services running to allow
for remote administration. In this situation, we have several application
servers which require enhanced security. We don't want anyone to be able to
reach these servers using terminal services unless the terminal services
session is initiated from specified servers. I know that you can specify
specific ports when initiating the terminal services session. Can anyone
help me to understand this a little further and better understand how to
configure this?

Changing the port number is NOT security -- except in
the sense that it is obscurity.

What you need is a filter list.

Simplest to do on a stock Windows server is set up
an IPSec filter list to block 3389 (the default RDP
port) for all but the approved list of TS clients IP
addresses.

And this avoids having to teach everyone else which
port to use -- or finding out that once this port is known
(or any hacker can easily determine it) that everyone is
able to use ANY machine to connect.

BTW:
IPSec filters/policies are NOT just for doing IPSec.

These filters have three basic actions:

1) Block
2) Pass
3) Negotiate IPSec

What you want to do is use just #1 and #2 to pass only
the machines you wish to allow access to Terminal
Services