Terminal Service without VPN? 1

[ABCRich]

Currently we are running Terminal Services over a VPN. Someone told me I can just forward a port on my router and run Terminal Services without starting the VPN. This would eliminate a step for my users, which is always good.

Is this possible? How? What port? Are there any security risks I should know about if I do this? Is anyone else doing this and if so, does it work OK?

Thanks in advance.

Rich

 

[Cryptospy]

Yes, it works quite well.. Just forward RDP port (I think 3396) to your server. I have run a TS Server on W2KS for 1 month now with little to no trouble.


Cryptospy

 

[Guest_imported]

It's actually port 3389

 

[Cryptospy]

Thanx Plextec, I didn't have my sheet infront of me...

Cheers.

 

[peterve]

why would you want to get rid of VPN ? Isn't security an issue at your company ?
If your users only have to do 1 additional step, then they should do that one single step.... don't take the risk ! I have not failed, I just found 10000 ways that don't work

Peter Van Eeckhoutte
peter.ve@pandora.be

Did this post help ? Click below to let me know ;-)

 

[ABCRich]

Part of my question is whether or not there are additional security risks. Can you give me some examples.

We've found that the Terminal Services runs much more reliably without the VPN. It also eliminates the extra step.

Thanks to everyone above for the port information. It works great!

 

[peterve]

allowing straight RDP = allowing access to the outside world to a terminal session.. all they need is a name & password to log on to the session...
Also, are you sure RDP is 100% secure ?
Have you done tests with network monitor to check the RDP traffic ?
You might want to check Microsoft website to see if there are any hotfixes/patches for Terminal services (maybe there are memory leaks / bugs that allow DoS attacks...

What kind of VPN are you using ? I have not failed, I just found 10000 ways that don't work

Peter Van Eeckhoutte
peter.ve@pandora.be

Did this post help ? Click below to let me know ;-)

 

[Cryptospy]

Security & RDP

As of yet, Microsoft has not released any articles reguarding any security flaws, other than the fact someone could flood the RDP port with requests, thus bringing your computer to a halt. It does not comprimise the data on the server (according to MS). Now, yes, if a hacker had a U/N / P/W they could do anything the user could. But that is no different than them finding a VPN connection listening and attaching to that with a UN/PW. If the right policies are adhered to, I feel a RDP server is just as safe/vulnerable as a VPN Server and that the extra step to log onto a VPN, if it doesn't provide any additional services, is kind of pointless. From what I have found, either a VPN or a Thinnet Client will work for certain applications, and usually one will work better than the other. PTPP is 128bit Encryption, so is RDP w/ the 128Bit Encryption pack.

Conclusion, no, you are not gaining anything by VPNing.

Cryptospy

 

[peterve]

that is absolutely NOT correct
1. you can protect your VPN with EAP (smart cards, certificates). This is not just a u/n and p/w
and even if you want to protect the VPN with just a u/n and p/w, you can make sure that both usernames & passwords (the one for setting up the VPN and the one for running the Terminal Service are different.)
2. flooding the RDP port = DoS = Terminal Services unavailable
(patch :

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-040.asp

and

http://www.microsoft.com/technet/security/bulletin/ms01-006.asp)

But, if you people believe that security isn't a big deal, then why bother asking ? Obviously none of you is concerned about this...

good luck anyway I have not failed, I just found 10000 ways that don't work

Peter Van Eeckhoutte
peter.ve@pandora.be

Did this post help ? Click below to let me know ;-)

 

[CitrixEngineer]

I have to agree with you, Peter. RDP as it stands is unencrypted data, and is pretty easy to trap and decode.

Even Citrix MetaFrame, at its most basic, is crackable within a few minutes. Which is why I always use SecureICA.

CE

 

[peterve]

that is 100% correct ! I have not failed, I just found 10000 ways that don't work

Peter Van Eeckhoutte
peter.ve@pandora.be

Did this post help ? Click below to let me know ;-)

 

[grabrail]

I have an issue similar to this, we have a 2000 Terminal Server at work, with two network adapters, 1 is the LAN 1 is the internet. We run terminal server on this machine purely for admin purposes. Obviously we want only to have acces to terminal server on the lan. Problem is I can still terminal session onto the server from home using just a connection to the internet and terminal server client. To get the ip address all i had to do was ping our domain name.

How do I stop terminal server sessions working in this way, so that it is only accepted on the lan

Any help would be grately appreciated, and would make me shine in the eyes of my boss

Thanks in advance

Grabrail

 

[peterve]

set up some sort of firewall software on that server, let it block port 3389 (and all the other unnecessary ports), -> only allow VPN ports

Then, set up VPN server, connect to the VPN server (you will be assigned an IP address of your internal network), and then connect to the internal network card of your server using the terminal server client... I run it like this on many servers and it works fine I have not failed, I just found 10000 ways that don't work

Peter Van Eeckhoutte
peter.ve@pandora.be

Did this post help ? Click below to let me know ;-)

 

[Cryptospy]

RDP is infact 128 Bit encrypted Data with the Windows 2000 128Bit Encryption pack. The next time you are connected to a properly setup server, click the help in that connection window and read the cypher strength.

As for the guy that can connect to his Terminal Server from home, obviously your computer is NOT behind any kind of firewall. I'm wondering if your LAN is exposed as well. I would recomend some sort of NAT gateway, and should you need any services exposed, just map the ports through to the appropriate server.

I am well aware of the DoS attack, but frankly, not even a VPN will help you there. DoS are just brute amounts of data being thrown at you. Only filtering will prevent some attacks.

I hope this clears some things up.

Cryptospy

 

[BigRetina]

Salute
This is EXACTLY what I want to do!
Set up terminal services on a Win2k Server (standalone in an NT 4 network)..I dont want to use VPN..i want to use the TS Client from outside via the internet..not the WEB.
what steps I should follow..please help me!
Thanks IN Advance

 

[Zelandakh]

If you want to get rid of VPN or just not implement, you can get your firewall to only allow port 3389 into the LAN directed to the TS but only from specific IP addresses ie your remote sites.

Then they'd need to IP spoof your remote site and have username and password.

 

[BigRetina]

I dont have a FIREWALL!..only MSPROXY2..so what to do now?
please bear with me!..i am new to this!

 

[Zelandakh]

BUY A FIREWALL!!!

If you don't have a firewall you are seriously asking for trouble.

 

[JMConley]

I have a similar problem. I am running Windows 2000 Terminal Server and I am attempting to connect via the internet to a terminal server behind a Raptor Firewall.

I have the port forwarded to the IP of the termserv. However, when I try to connect outside, I cannot. I see in the logs it says the IP was forwarded to the IP then
Deny rule (Default rule). I do not see any rules explicitly denying this. Any ideas?