Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
How safe is Terminal Server? 2
- Thread starter paulwood
- Start date
-
1
- #2
ashleym
MIS
- Mar 30, 2001
- 375
Its only as strong as your password. If you want to secure terminal server connections you can do any one of the following things:
Don't expose the port to the whole world. In other words, in your firewall rule for terminal server, say incoming from - and put specific IP's, if you can. If you are going to have people connecting who may be on dial up or from hotel's, its won't work. But if you have workers at home on highspeed connections, its a little easier to do.
Make passwords very strong, no less then 8 characters, alpha numeric with additional characters and CaSe <!@#$%> and change them often.
There is a a policy you can turn on that will bring up a warning at logon, this prevents people from using password cracking programs. Terminal server will allow three logon attempts before disconnecting, this popup warning defeats programs that try to 'grind' passwords by using dictionary/password lists to guess. Also, you can configure the username to be blank, so it would have to be entered at each login, that also defeats these programs.
AM
Don't expose the port to the whole world. In other words, in your firewall rule for terminal server, say incoming from - and put specific IP's, if you can. If you are going to have people connecting who may be on dial up or from hotel's, its won't work. But if you have workers at home on highspeed connections, its a little easier to do.
Make passwords very strong, no less then 8 characters, alpha numeric with additional characters and CaSe <!@#$%> and change them often.
There is a a policy you can turn on that will bring up a warning at logon, this prevents people from using password cracking programs. Terminal server will allow three logon attempts before disconnecting, this popup warning defeats programs that try to 'grind' passwords by using dictionary/password lists to guess. Also, you can configure the username to be blank, so it would have to be entered at each login, that also defeats these programs.
AM
- Thread starter
- #3
-
1
- #4
- Thread starter
- #6
Is it possible to use terminal services through a vpn connection without opening port 3389 as well? If not, then vpn support would only protect the active session, not the server itself since the firewall would forward any terminal services requests?
It is not possible to limit access from specific ip addresses since the clients would be dynamic.
Thanks for help so far!
It is not possible to limit access from specific ip addresses since the clients would be dynamic.
Thanks for help so far!
- Thread starter
- #7
VPN question answer...
The firewall WOULD NOT just forward any request through unless you allowed the firewall to pass them through. If you put a firewall up and not allow any traffic through, then TS will not be able to connect because it will not see any server/computer behind the firewall. But if you enable a VPN tunnel (with the firewall still not allowing regular IP traffic through) then TS could connect because the VPN tunnel would be the only "open" way through the firewall.
We have our network setup that only internet traffic is allowed through the firewall (since we don't have a web or email server on the inside) and our remote users use a hardware based VPN to connect and use TS.
The firewall WOULD NOT just forward any request through unless you allowed the firewall to pass them through. If you put a firewall up and not allow any traffic through, then TS will not be able to connect because it will not see any server/computer behind the firewall. But if you enable a VPN tunnel (with the firewall still not allowing regular IP traffic through) then TS could connect because the VPN tunnel would be the only "open" way through the firewall.
We have our network setup that only internet traffic is allowed through the firewall (since we don't have a web or email server on the inside) and our remote users use a hardware based VPN to connect and use TS.
- Thread starter
- #9
OK, thanks. My present experimentation with software vpn's hasn't yet worked, something gets blocked even tho' the vpn is connecting, TS can't find the server, thus this information gathering exercise.
I guess it's possible that certain vpn's are not compatible with TS.
I guess it's possible that certain vpn's are not compatible with TS.
You're best bet would be to get the VPN working. Then test the VPN by sharing a folder on the server and testing that you can access the file through the VPN. If that works, then TS should be able to work also.
TS looks for the TS server IP address on the local network. If the VPN is up and running, and the server that you are able to share a file with is being seen by your computer, then TS should also see your server. But if your VPN is not up, then your computer can't see your network (just like I can't see your network from my computer) and TS can not see your network.
I have not seen any articles about TS not working with certain types of VPNs. I have seen cases where people can't get the VPN to work thus their TS connection will not work and then they blame the VPN because it won't allow them to connect. When actually their VPN isn't working at all so therefore TS can't work through the tunnel.
Keep posting question if you wish. I like helping others come up with solutions.
TS looks for the TS server IP address on the local network. If the VPN is up and running, and the server that you are able to share a file with is being seen by your computer, then TS should also see your server. But if your VPN is not up, then your computer can't see your network (just like I can't see your network from my computer) and TS can not see your network.
I have not seen any articles about TS not working with certain types of VPNs. I have seen cases where people can't get the VPN to work thus their TS connection will not work and then they blame the VPN because it won't allow them to connect. When actually their VPN isn't working at all so therefore TS can't work through the tunnel.
Keep posting question if you wish. I like helping others come up with solutions.
GlenJohnson
MIS
I've got a Cisco VPN that has users authenticate to the domain once they've gotten in. The vpn has an extremely strong password, so once they pass that, they still have to authenticate to the domain. This will give you all the security you need as long as you use the strong passwords that was mentioned earlier. That's your safest line of defense. BTW, once I'm in I use TightVNC so I can really see what's going on instead of starting a new session. Works great. Good luck. Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"It's not what you look at that
matters, it's what you see."
Henry David Thoreau (1817-1862); US essayist, poet.
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us
Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"It's not what you look at that
matters, it's what you see."
Henry David Thoreau (1817-1862); US essayist, poet.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
