Announcement

Collapse
No announcement yet.

SSL and TS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL and TS

    Hello

    We have been toying with the idea of allowing staff access to our TS services from external connections; due to the possible security issues we have always been very cautious.

    We have therefore implemented the following:

    Access to be granted to listed IP’s only (Windows Firewall)

    Strong Passwords for Authentication

    SSL encapsulation over RDP (Cheap Option)

    http://thelazyadmin.com/index.php?/a...h-SelfSSL.html

    Is there anything else that we can implement that will allow me say to my line manager “so far as reasonably practicable” we have ensured the service will be secure!!!

    Cheers

    Chris
    Last edited by fanturex; 27th January 2006, 22:24.

  • #2
    Re: SSL and TS

    Few tricks:

    1. You can limit administrators accounts so they couldnt logon via TS.
    2. Use smartcard authentication - e-Token cost ~50$ and will help you
    to give your manager a good night sleep.

    Regards,

    Yuval
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: SSL and TS

      Many thanks for your reply; we have disabled administrator access as we were worried about brute force attempts.

      Smartcard's are an option, but to be honest its going to be hard enough for staff to be able install the required application and certificate to enable connection in the first instance.

      But I will have a search on google for smartcard howto’s

      Cheers

      Chris

      Comment


      • #4
        Re: SSL and TS

        Hello,

        One more security improvement is to use a different port for TS.
        By default it is 3389.
        It is well known and can be easy identified by any port scanning tool.
        Choose between two solutions:
        1. Port redirection (all incoming traffic on port x is redirected by firewall to your internal server on 3389).
        2. Configure your internal servers to listen on a different port. Open this port in your firewall.
        http://support.microsoft.com/default...b;en-us;306759
        http://support.microsoft.com/?kbid=304304

        I also found interesting this freeware
        http://www.2x.com/securerdp/

        Regards,
        Csaba
        Last edited by netxt; 28th January 2006, 21:04.
        Regards,
        Csaba Papp
        MCSA+messaging, MCSE, CCNA
        ...............................
        Remember to give credit where credit is due and leave reputation points where appropriate
        .................................

        Comment

        Working...
        X