Re: Security using terminal services
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 14 Apr 2005 02:27:46 -0500
"Rich" <rstringer@xxxxxxxxxxx> wrote in message
news:u5n1z1JQFHA.3144@xxxxxxxxxxxxxxxxxxxxxxx
> Hello,
>
> In my environment, all Win2K servers have terminal services running to
allow
> for remote administration. In this situation, we have several application
> servers which require enhanced security. We don't want anyone to be able
to
> reach these servers using terminal services unless the terminal services
> session is initiated from specified servers. I know that you can specify
> specific ports when initiating the terminal services session. Can anyone
> help me to understand this a little further and better understand how to
> configure this?
Changing the port number is NOT security -- except in
the sense that it is obscurity.
What you need is a filter list.
Simplest to do on a stock Windows server is set up
an IPSec filter list to block 3389 (the default RDP
port) for all but the approved list of TS clients IP
addresses.
And this avoids having to teach everyone else which
port to use -- or finding out that once this port is known
(or any hacker can easily determine it) that everyone is
able to use ANY machine to connect.
BTW:
IPSec filters/policies are NOT just for doing IPSec.
These filters have three basic actions:
1) Block
2) Pass
3) Negotiate IPSec
What you want to do is use just #1 and #2 to pass only
the machines you wish to allow access to Terminal
Services
.
- References:
- Security using terminal services
- From: Rich
- Security using terminal services
- Prev by Date: Re: Security using terminal services
- Next by Date: DC not functioning correctly
- Previous by thread: Re: Security using terminal services
- Next by thread: DC not functioning correctly
- Index(es):
Relevant Pages
|
