Re: Publishing Terminal Server with ISA, is it safe?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: M P (mark_at_textguru.ph)
Date: 03/02/04 

Date: Tue, 2 Mar 2004 13:09:39 +0800

Thanks for the reply Jeff!

Is there any KB in MS about propoer way of setting up ISA with regards to
enabling Terminal Service?

Mark
"Jeff Leamon" <jleamon@rushcpa.com> wrote in message
news:38A2743B-772D-4184-9AB3-C0A2BA5B7F8F@microsoft.com...
> Mark,
>
> RDP (Remote Desktop Protocol) on terminal services uses TCP Port #3389
only, and does not use dangerous services, such as NetBIOS at all. In the
terminal services manager, I would recommend accepting only high-encyption
sessions (128-bit).
>
> Moreover, in ADUC (Active Directory Users & Computers) you can also
specify which account can access terminal services, and when the can access
the system. While you can set up a server publishing rule on your ISA
server to permit RDP traffic to your terminal server, you will also need to
create an accompanying protocol definition to allow traffic on TCP # 3389 to
pass.
>
> In Windows Server 2003 terminal services, there is also a local security
group called "Remote Desktop Users", which allows the right to login to the
terminal server. To simplify administration, you could create a domain
global group in ADUC, add your terminal server user's domain accounts to it,
and then add the the entire global group "TSUSERS", for example, to the
"Remote Desktop Users" local group on your terminal server.
>
> For additional security, you could also enable auditing to track
successful and unsuccessful logins to your terminal server. If configured
properly, your ISA server should have no problem providing acceptable levels
of protection for your terminal server. Hope this helps.
>
>
>
> ----- M P wrote: -----
>
> By the way, I will use my ISA as Firewall and web cache in one box.
>
> "M P" <mark@textguru.ph> wrote in message
> news:OUB4Odz#DHA.2524@tk2msftngp13.phx.gbl...
> > I am planning to publish TS with ISA. is this safe? currently, I
notice
> that
> > there are lots of unknown tcp requests to my external hosts, mostly
to
> > netbios ports. If i will publish TS, is there a chance that a
hacker can
> > enter into our site? Is there a secured way to publish TS?
> >> Mark
> >>

Relevant Pages

  • Re: Publishing Terminal Server with ISA, is it safe?
    ... > terminal services manager, I would recommend accepting only high-encyption ... While you can set up a server publishing rule on your ISA ... > server to permit RDP traffic to your terminal server, ... add your terminal server user's domain accounts to ...
    (microsoft.public.isa)
  • Re: The local policy of this system does not allow you to log on interactively
    ... group to the user right for logon through terminal services on the Terminal ... Server OR add that global group to the Remote Desktop Users "local" group on ... > the Terminal Server in the allow logon through Terminal Services and ...
    (microsoft.public.windows.server.security)
  • Re: How do I Block all traffic except RDP traffic to Terminal Server
    ... 294720 - How to Server Publish a Terminal Server with ISA While also ... Running Terminal Services on the ISA Server ... MCSE, CCEA, Microsoft MVP - Terminal Server ... > the terminal server but if I allow ANY protocol, ANY source Port ...
    (microsoft.public.win2000.termserv.clients)
  • Re: Enable 3389 in ISA Server 2000
    ... If I stop ISA Services I am able to connect. ... > Running Terminal Services on the ISA Server ... > MCSE, CCEA, Microsoft MVP - Terminal Server ... >> Also how should I create a protocol definition and how should I ...
    (microsoft.public.win2000.termserv.clients)
  • Re: Incorrect colors
    ... Terminal Services relies heavily on a glyph cache for onscreen ... MCSE, CCEA, Microsoft MVP - Terminal Server ... > interesting that some controls do change and some do not. ... >>> display in the selected background color. ...
    (microsoft.public.win2000.termserv.clients)