We want to really secure terminal services access

[adeveloper]

Hi,

We have an application which is going to be installed on a clients Windows
2000 Server and the interface to the app is accessed from a web site on that
server (ASP + SQL Server). The server lives in a DMZ in the client network.

We need remote access to the server to administer the product but we have
run into problems with the client who do not want to grant us remote access
to the server because of security concerns. The clients policy is to not
provide remote access to any of their servers to anyone outside the
organisation - which of course we can understand but doesn't work for us for
this application because we will need to access the server heavily during
the initial period after it is installed. We only need access to the server
from our own PCs/networks so it only needs to be opened to our ranges of
IPs.

So we want to know what is the most secure configuration is we could access
the client server with using terminal services?
What about VPN? I have heard you can use certifications with VPN - could we
set up a VPN connection on the server that only accepted connections from a
set of IPs and required a certificate on those PCs to be present in addition
to a password?
What I am thinking is that to prevent IP Spoofing that we need to do
something more than just allowing access to a fixed set of IPs in the
firewall.
It seems if we can encrypt the connection, require a certificate and only
allow access from a fix set of IPs then we would have quite a secure set up
for remote access - what do you think?

We could consider using other remote access clients - but would prefer to
stick with terminal services if it is possible to set up really secure
access with it.

Most grateful for any info
Peter Jansen

 

[Karl Levinson [x y] mvp]

Your plan sounds good to me [as long as you also read up about what else you
might need to do to terminal services to secure it]. IPSec and/or a
pre-installed certificate for the client as well as the server can help
detect man in the middle session hijacking.

 

[Admiter]

We need remote access to the server to administer the product but we have

run into problems with the client who do not want to grant us remote access
to the server because of security concerns.

Try "Anyplace Control" remote controlling tool:
http://www.anyplace-control.com

Description from this site:

"Anyplace Control is a remote control program that can display a screen of
another computer (via internet or network) on your screen.

The program allows you to use your mouse and keyboard to control the other
PC remotely. It means that you can work on a remote computer, as if you were
sitting in front of it, right from your current location. The program allows
you to work with different remote computers simultaneously, from anywhere in
the world.

The program is so fast and comfortable that you can even forget that you are
working on a remote PC!"

 

[martin]

Hi,

We have an application which is going to be installed on a clients Windows
2000 Server and the interface to the app is accessed from a web site on that
server (ASP + SQL Server). The server lives in a DMZ in the client network.

We need remote access to the server to administer the product but we have
run into problems with the client who do not want to grant us remote access
to the server because of security concerns. The clients policy is to not
provide remote access to any of their servers to anyone outside the
organisation - which of course we can understand but doesn't work for us for
this application because we will need to access the server heavily during
the initial period after it is installed. We only need access to the server
from our own PCs/networks so it only needs to be opened to our ranges of
IPs.

charge the ****ers!

That usually solves al problems. If you have to be on site, the charge
travelling time. That will sort 'em out. Either you are worth a hole in
their firewall, or you are not. If not charge the buggers travelling time at
full rates