Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Securing Remote Desktop
- Thread starter derajer
- Start date
I believe you can do this on the local server by ipsec filtering. It's been a while since I've messed with 2003 Server, so bear with me. In the local security policy of the server, you should have an IPsec setting (if you are using gpedit.msc, it would be much better). You may want to look at this article....
You're probably not exposed to the internet anyway. I can't imagine a company with all their workstations directly attached to the internet without some form of security.
In the event you are on a LAN where every workstation has an internet address, just enable the firewall and deny any traffic from IPs outside your range.
WhoKilledKenny
MIS
You can have your network team create an ACL only allowing your IP Address to communicate via port 3389 to your Data Center subnet. By default, remote access only allows local administrator to access the machine via RDP. The default should be secure enough depending on who the local and domain admins are...
- Thread starter
- #8
Sorry, I forgot about this thread due to recent problems here.
A couple of things that I should have made clearer
1. I am the entire IT dept for a relatively small but very complex conglomerate
2. The server provides quite a few unique services so it sits on the DMZ
A couple of things that I should have made clearer
1. I am the entire IT dept for a relatively small but very complex conglomerate
2. The server provides quite a few unique services so it sits on the DMZ
The second article I pointed you to should help you out immensely. One more thing that you can do is change the listening port, which will help you keep prying eyes away. Here is a link that explains how to change it.
If I remember correctly, this is the same for 2003 as it is 2000. When connecting via Remote Desktop Client (RDC), you will need to have the IP (or FQDN) followed by a : and the "new" port number (ie., 192.168.0.1:3390).
If I remember correctly, this is the same for 2003 as it is 2000. When connecting via Remote Desktop Client (RDC), you will need to have the IP (or FQDN) followed by a : and the "new" port number (ie., 192.168.0.1:3390).
If the server is in the DMZ, then the main thing you'll need to do is tell your clients how to get to the machine in the DMZ. Depending on how your firewall is configured, just having the inside interface's IP address as your default gateway should do the trick. However, I've had situations where that was not adequate. If you're unable to reach the machine this may be the case. Remedy with a route statement.
example environment:
inside subnet: 10.0.1.0/24
inside firewall interface IP: 10.0.1.1
dmz subnet: 10.0.2.0/24
example command: (Win32 machines)
route add 10.0.2.0 mask 255.255.255.0 10.0.1.1
There's also the possibility that your DMZ does not trust your inside interface. In which case you will have to poke a hole through from your inside interface to to DMZ for the RDP port 3389 (TCP). Also, make sure none of your PCs built in firewalls are blocking this communication.
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question