Security using terminal services

R

Rich

Hello,

In my environment, all Win2K servers have terminal services running to allow
for remote administration. In this situation, we have several application
servers which require enhanced security. We don't want anyone to be able to
reach these servers using terminal services unless the terminal services
session is initiated from specified servers. I know that you can specify
specific ports when initiating the terminal services session. Can anyone
help me to understand this a little further and better understand how to
configure this?

TIA,
Rich
 
P

Pegasus \(MVP\)

Rich said:
Hello,

In my environment, all Win2K servers have terminal services running to allow
for remote administration. In this situation, we have several application
servers which require enhanced security. We don't want anyone to be able to
reach these servers using terminal services unless the terminal services
session is initiated from specified servers. I know that you can specify
specific ports when initiating the terminal services session. Can anyone
help me to understand this a little further and better understand how to
configure this?

TIA,
Rich
Click to expand...

Changing the port number does not prevent anyone from starting
a TS while on the wrong machine. It only makes it a little harder,
because he has to know the port number.

To change the port number on TS host, modify this registry value,
then reboot the TS host:
HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\Por
tNumber

To start a Remote Desktop session, type this command on
the RDP client:

mstsc /v:ServerName:xxxxx

where xxxxx is the decimal port number you set on the server.
Its default is 3389.

You could also use an RDP profile file that contains all the
relevant connection details. See here for further info:
http://dev.remotenetworktechnology.com/ts/rdpfile.htm
 
H

Herb Martin

Rich said:
Hello,

In my environment, all Win2K servers have terminal services running to allow
for remote administration. In this situation, we have several application
servers which require enhanced security. We don't want anyone to be able to
reach these servers using terminal services unless the terminal services
session is initiated from specified servers. I know that you can specify
specific ports when initiating the terminal services session. Can anyone
help me to understand this a little further and better understand how to
configure this?
Click to expand...

Changing the port number is NOT security -- except in
the sense that it is obscurity.

What you need is a filter list.

Simplest to do on a stock Windows server is set up
an IPSec filter list to block 3389 (the default RDP
port) for all but the approved list of TS clients IP
addresses.

And this avoids having to teach everyone else which
port to use -- or finding out that once this port is known
(or any hacker can easily determine it) that everyone is
able to use ANY machine to connect.

BTW:
IPSec filters/policies are NOT just for doing IPSec.

These filters have three basic actions:

1) Block
2) Pass
3) Negotiate IPSec

What you want to do is use just #1 and #2 to pass only
the machines you wish to allow access to Terminal
Services
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Printers through Terminal Services 2
Can't connect to 2003 Terminal Services 3
Matlab Win2003 terminal server 0
Outllok 2003 and Terminal Services - user settings will not stick 3
Business Cloud Solutions Thoughts and Opinions 0
New remote client not ablelogin W2K Terminal services after AD upg 11
Terminal Services vs. Remote Desktop Connection... 5
Terminal Services Remote Control 4

Top