RE: terminal server

From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 01/30/04 

Date: Fri, 30 Jan 2004 18:27:17 +0300
To: "Dominique Hoffman" <hoffmand@calib.com>, "Al Morro" <morroa@calib.com>, "Len Parkhurst" <len@calib.com>

Hi. Terminal Server it's one of the harder thing to hardening :-)
Good start you can find here

http://www.nsa.gov/snac/win2k/guides/w2k-19.pdf

Some additional recommendations (quote from
http://infosec.uninet.edu/infosec2003/talk/offtopic-20030618.html)

"We will do some additional settings to deny users access to MSGINA.DLL
(to prevent DoS) and access to networking and administrative utilities.

We can limit access to wininet.dll, wsock32.dll, ws2_32.dll &
netapi.dll.
To allow only selected applications to work we will place copies of
these DLLs in application directories (we should care about
explorer.exe, because it requires these DLLS, but best solution is to
set Internet Explorer, iexplore.exe, as a start application).
In addition, we have to secure users profiles to deny files execution
from these directories (.lnk in start menu and on the desktop needs no
Execute permission to work).
This will prevent accidental launch of untrusted executables by user.
Next, we should grant "Logon Locally" and "Access this computer from
Network" rights only to users who actually need this access. "

In W2K3 you can user Software Restrictions Policies for prevent launch
of untrusted executables.

Etc... etc.. etc...

-----Original Message-----
From: Dominique Hoffman [mailto:hoffmand@calib.com]
Sent: Thursday, January 29, 2004 1:10 AM
To: Al Morro; Len Parkhurst
Subject: terminal server

Hi,

My company needs to implement a remote access solution for our users.
Our windows admins want to implement Microsoft Win. Terminal server
2003. Does anyone know how safe this is and/or any documentation out
there or white paper about MS Term. Server security? and if not, what
would be an appropriate solution to enable our users to access our
network without getting a pricey VPN suite.

Appreciate any feedback.

Thank you.

Dom.

------------------------------------------------------------------------ 

---
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • RE: Opening from cache instead of network, while working online?
    ... is accessing the larger files over the network. ... i am looking at a way to teach them to use the Offline files ... Any setup that requires the file sync of a 50MB file is going to ... Microsoft MVP - Terminal Server ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Terminal Server with 2 NICs
    ... could saturate your internal network. ... What is the bandwidth and latency of the connection these remote ... MCSE, CCEA, Microsoft MVP - Terminal Server ... TS is open for logon attempts from the Internet, ...
    (microsoft.public.windows.terminal_services)
  • Re: Access on VPN -- seeking solutions
    ... use it to create a network. ... than 16 people accessing through hamachi. ... use the terminal server to create users for each person that you ... grant thier access to functions and forms and information. ...
    (comp.databases.ms-access)
  • Re: Sharing printers on TS
    ... You can buy devices that will put a non-network printer on a network. ... Terminal Server via a VPN connection. ... When she logs into the Terminal Server she can ... security settings on the printer that they stay, ...
    (microsoft.public.windows.terminal_services)
  • Re: using access on terminal server
    ... are being placed on the network and the servers. ... then it is entirely possible that placing the front-end on the clients might ... today 100 users are using terminal server and i'm thinking ... about improve the system by placing the mdb on each client pc computer. ...
    (microsoft.public.access.modulesdaovba)