Re: Terminal Services over a VPN

Carroll,

You can use IPSec to limit the ip addresses that are permitted to connect to your TS. That way you can have it allow *only* machines in the local office and those that are in the satellite office.

Take a look here for a video clip that walks you
through the setup:

http://tshelp.bravehost.com/demos/ipsec_rdp.html

The clip demonstrates how to permit only a specific
ip address to connect to the server. In your case you
will need add a new entry to the RDP_Permit filter and choose "A specific IP Subnet" and enter your local ip subnet as well.

As far as the SSL cert, here are the basic steps:

1.) Create a DNS host record that points to your main office's public ip address, for example:

hq.yourcompanyname.com

2.) Create a certificate request and submit it to godaddy (or similar) in order to obtain a public cert. You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button.

A public cert costs about $18 per year and you will receive it in minutes. When you have the new cert open the wizard again and install it. After the install you can stop or delete the website created above since you don't need it for anything.

3.) Install the 5.2.3790.1830 version of the Remote Desktop client on all machines that will need to connect to your TS. The install file for this version is located on your server here:

C:\WINDOWS\system32\clients\tsclient\win32\msrdpcli.msi

4.) Open up Terminal Services Configuration, right-click on RDP-Tcp, and choose Properties. At the bottom of the General tab, click the Edit button, select your newly-installed cert, and click OK. Finally select SSL as the security layer and click OK to close the Properties window.

5.) There are two requirements when connecting from each machine. First, you must use the public name in the Computer field that you used above when requesting the cert. In our example it is:

hq.yourcompanyname.com

Second, on the security tab of the Remote Desktop Client, set it to Require Authentication.

-TP

Carroll McAllister wrote:
Costin Hagiu [MS] wrote:

Exposing the TS(RDP) port directly on the internet is very risky.
These would allow anybody to spin up a session on the TS box, which
takes significantly amount of resources (CPU and memory). Also, the
attack surface exposed this way is very big.

Ok. I figured there was an increased risk in doing something like
that. Forewarned is forearmed, so to speak. <G> So, I'll not do
what I was thinking about doing, then.


Regarding encryption: unless you use the new SSL connection
protection available in Windows 2003 SP1 (you need to install
certificates and configure it explicitly and also configure clients
to require server

It's been quite a while since my Windows 2000 Server classes (last
time I would have dealt with certificates). Can I generate the
required certificate myself? Or do I/we have to use someone like
Verisign to generate the certificate?

The certificate would only be used by our internal file server when
we're connecting via TS from our remote locations.

authentication), the connections will be vulnerable to
Man-In-the-Middle Attacks (active attacks that allow an attacker who
can alter data on the connection between server and client to
completely intercept data on the connection). Even if you enable SSL
encryption/server authentication, it will not mitigate the Denial of
Service/attack surface concerns.

My main reason for asking the initial question was that whatever we
did, we have HIPAA concerns, as we're dealing with "protected patient
information". So, I need to set things up to be as secure as I can
reasonably make them.


-=> Carroll McAllister <=-

coming to you "almost live" from Searcy, Arkansas
.