MS terminal server best practice?

SiD the Turtle

SiD the Turtle

SiD the Turtle

Soldato
Joined
16 Nov 2003
Posts
9,682
Location
On the pale blue dot
Hi chaps. Internally we have several virtualised servers whose purpose is to be used as demo systems for pre-sales and development work. In order to use them staff must VPN into the office and then connect to the relevant server.

What they would prefer is the ability to RDP directly from any workstation without having to VPN. To do this I thought of setting up a locked down terminal server that only has RDP access to these specific VMs.

So my question is can anyone point me in the direction of best practices for locking down a TS? I don't want to just walk through group policy ticking things I think sound like they should be disabled.
 
So you want to put a terminal server with an internet address out there for anyone to rdp onto and tighten down the build to make it more secure.

Security nightmare in the making, what does your corporate policy say on such stuff, i'd imagine it would be a no no!
Alternatively, tell the users to get stuffed and use the VPN connection..
 
I think you will want to put the lot in a DMZ, unless you are a small company and dont really care... then at least if its hacked they dont have access to your internal systems..
 
Showboat said:
So you want to put a terminal server with an internet address out there for anyone to rdp onto and tighten down the build to make it more secure.

Security nightmare in the making, what does your corporate policy say on such stuff, i'd imagine it would be a no no!
Alternatively, tell the users to get stuffed and use the VPN connection..
Click to expand...

What? a TS server is perfectly fine as long as its locked down sufficiently.
 
Cheers guys. We have a security policy but when the request comes from the MD you kind of have to action it regardless :(

Putting the server in the DMZ is probably not a bad idea, but all of the target servers are on the internal network.

I've found an article on locking down the server itself which would seem to be what I'm looking for (http://www.microsoft.com/downloads/...ff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en) however it's for Windows 2003. I'll probably want to build a Windows 2008 R2 box, but would I be right in saying the security policies will be largely the same?
 
Yes the policies are pretty much the same, the AD schema as changed slightly in 2008 so see if you can find a more up to date article.
 
Tell them to get lost, it's bad practice at the very least. Security isn't necessarily compatible with convenience. Only way I'd even consider it is in a separate firewall zone and locked down to specific public IPs people would be coming from, otherwise it's a VPN.
 
What about implementing a Terminal Services Gateway? have the website accessible via the internet, use SSL and use authenticate from AD.
 
RDP gateway isn't a terrible idea at all but it's a bit of a faff when you already have a solution which works just fine and you don't need the capabilities of the gateway really...
 
Sp00n said:
What? a TS server is perfectly fine as long as its locked down sufficiently.
Click to expand...


Absolutely not - having a nice and easy log on screen that anyone can access from anywhere is nothing but a terrible terrible terrible idea. You're potentially inviting unwanted folk straight onto your system.

Personally, VPN or GTFO.
 
Last edited:
SiD the Turtle said:
Cheers guys. We have a security policy but when the request comes from the MD you kind of have to action it regardless :(

Putting the server in the DMZ is probably not a bad idea, but all of the target servers are on the internal network.
Click to expand...

still put it in a dmz (depending on what access is needed) you can open holes in the firewall for ONLY the servers and ONLY the ports needed...

depending on the number of users in question you can create a stand alone server with local accounts (depending on what you are trying to do it might not be practicle)
 
Why not just vpn and then connect to a specific pc, any pc within the same range, even a vm and then setup one of the msc snap ins with all the servers listed and put a shortcut on the desktop. So people will only have to rdp to one server after the vpn is up and then from there they can use the .msc to go to all the servers. Not ideal but might make it "easier" for the lazy users.
 
You must log in or register to reply here.
Back
Top Bottom