Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

RDP into Windows 2008 Server and needed security

Status
Not open for further replies.

DrB0b

IS-IT--Management
May 19, 2011
1,431
US
Hello all,
I have a floor thin client with nothing but an RDP icon to remote into our Terminal Server. The terminal server then opens a network path for the users on the floor to view PDF and Excel Docs. On the Shared Folder they are accessing, they are restricted to read only and cannot delete and they only have an Excel Viewer and Adobe Reader to open the files with anyway. I have their login created as a Guest so they cannot install or remove programs on the TS. I have the TS NIC setup so its manually missing its gateway and DNS servers so it can access internal network but nothing external and I think, as a Guest, they cannot change this but I havent verified.

If Im wanting to lock this down, am I missing anything obvious here? I have a shortcut linked to the Shared folder they need to access and I know that they theoretically could navigate deeper or shallower in the Shared Folder area but once they are blocked from reading any other folders, that wont be an issue. Just trying to cover my bases and feel free to throw out a better way to go about this. Was reading about SteadierState on another thread but not sure if it works on 08 or is even really needed.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
I have their login created as a Guest so they cannot install or remove programs on the TS. I have the TS NIC setup so its manually missing its gateway and DNS servers so it can access internal network but nothing external and I think, as a Guest, they cannot change this but I havent verified.

Will they even be able to login as Guest? They'll need to be Remote Desktop Users at a minimum, and you might as well make then full Users so that they have at least basic logon functionality. They wouldn't be able to modify network configurations as a regular user.

Which brings me to the point about you network card. If you don't have a default gateway or DNS servers listed, that server can only access resources on the local subnet and only by IP or NetBIOS name. That may be great for keeping users from surfing the web, but it may also keep this server from doing important things that it needs to do, like communicating with AD, management software, software update servers, etc. If your goal is to keep users from browsing the web, you're better off specifying a proxy server in IE (either one that allows no access or one that doesn't exist) than cutting off network communication entirely.

The only other way this scenario makes sense is if you're allowing unauthenticated or non-domain users access to these files, in which case you're probably better off setting up a web server to host them (or using WebDAV or something similar).

________________________________________
CompTIA A+, Network+, Server+, Security+
MCTS:Windows 7
MCSE:Security 2003
MCITP:Server Administrator
MCITP:Enterprise Administrator
MCITP:Virtualization Administrator 2008 R2
Certified Quest vWorkspace Administrator
 
They are created as Users in the Domain and the server itself is nothing more than a Terminal Server so being cut off from the outside world is fine. Should probably just go the Proxy route but wasn't thinking when I had to keep them off the new in a pinch. Then I can still access updates. As physical users created on the Terminal Server which they are RDP'ing into, they are set as "Guests" so outside of viewing files, that should be all they are capable of. I have their User Account set up to restrict access to all but the one folder I need for them so I dont think security of the rest of the files is an issue.

Just basically seeing if the way that I have it set up had any major holes in it to expose. Granted there isn't a whole lot to go off of above but general theory is always appreciated as well.

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
If you only have a single subnet, I don't see any glaring problems with this. Keep in mind, if you have multiple subnets (e.g. multiple offices over a WAN) and you or anyone else ever needs to access the server from another subnet, you won't be able to directly. You would need to connect to another system on the same subnet as the server and then access it from there. Also, if you don't have a patch management solution in place (e.g. WSUS) and rely solely on Automatic Updates, this server will never be patched.

---------------------------------------
Bob Beck
Systems Administrator
 
Single subnet and working towards a WSUS solution.

Thank you all for the info!

Learning - A never ending quest for knowledge usually attained by being thrown in a situation and told to fix it NOW.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top