MS terminal server best practice?

[SiD the Turtle]

Hi chaps. Internally we have several virtualised servers whose purpose is to be used as demo systems for pre-sales and development work. In order to use them staff must VPN into the office and then connect to the relevant server.

What they would prefer is the ability to RDP directly from any workstation without having to VPN. To do this I thought of setting up a locked down terminal server that only has RDP access to these specific VMs.

So my question is can anyone point me in the direction of best practices for locking down a TS? I don't want to just walk through group policy ticking things I think sound like they should be disabled.

 

[SiD the Turtle]

Cheers guys. We have a security policy but when the request comes from the MD you kind of have to action it regardless

Putting the server in the DMZ is probably not a bad idea, but all of the target servers are on the internal network.

I've found an article on locking down the server itself which would seem to be what I'm looking for (http://www.microsoft.com/downloads/...ff-9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en) however it's for Windows 2003. I'll probably want to build a Windows 2008 R2 box, but would I be right in saying the security policies will be largely the same?

 

[SiD the Turtle]

What about implementing a Terminal Services Gateway? have the website accessible via the internet, use SSL and use authenticate from AD.

Ta, I'll do a google.