Terminal Server on Internet

Discussion in 'Server Security' started by Willk, Oct 2, 2004.

  1. Willk

    Willk Guest

    I would like to know what the general consensus is on running terminal
    server on the internet. i.e. anyone can log onto the terminal server by
    typing in it's public IP.

    Currently, I run the terminal server so remote users can access the network
    from home. The network has not been compromised (yet) but as our company
    grows, the need for tightened security is increasing.

    I would be interested to know your views on this or any other best practices
    to be considered in this case. Should we be limiting remote access to
    VPN/dialup only?
     
    Willk, Oct 2, 2004
    #1
    1. Advertisements

  2. The usual rules apply as far as using a firewall to protect access to all
    ports other then 3389 and if possible restrict the source access to be just
    authorized IP addresses. Enforce complex passwords and an account lockout
    policy for your network. The account lockout policy does not need to be
    drastic. Something like 10 bad attempts with a ten minute lockout period
    could protect from brute force password attacks while still give users
    availability without a lot of administrator intervention for locked out
    accounts. If you find hackers targeting your server, you can add their IP
    addresses to a block all rule for your firewall. I would also suggest that
    you disable the built in administrator account in it's account properties
    from being to logon through TS as it will be the top target of hack attempts
    and it is not subject to account lockout. Be sure your TS server is
    configured to use high encryption in the RDP properties. By default W2K/X
    Pro clients will use high encryption but it is a good idea to enforce it.

    If possible try to enable l2tp for your VPN which requires server and
    computer certificates to gain access to the VPN server for computer as well
    as user authentication.. L2tp does not work over NAT devices without the
    NAT-T client upgrade and the VPN server would then need to be Windows 2003.
    If you can enable l2tp, then users can first connect via VPN and then use
    the VPN tunnel to remote into the TS. --- Steve
     
    Steven L Umbach, Oct 3, 2004
    #2
    1. Advertisements

  3. Willk

    Willk Guest

    Thanks Steve,

    I guess this is not so much of a security risk but then how many large
    enterprise would own up to running TS on public IP?
     
    Willk, Oct 5, 2004
    #3
  4. Steven L Umbach, Oct 6, 2004
    #4
  5. The "access through IIS" is for the list of terminal servers only. The
    actual communiction is still RDP on the wire.

    Generally we recommend using VPN and then running TS inside the VPN session.

    Steve Riley
     
    Steve Riley [MSFT], Oct 16, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.