• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Secure RDP publishing

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Secure RDP publishing Page: [1]
Login
Message << Older Topic   Newer Topic >>
Secure RDP publishing - 3.Dec.2006 6:32:48 PM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
Is there a way to securely publish a TS machine in ISA 2006? The MS documents say:"With ISA Server 2006, you can more securely publish Windows Server 2003 Terminal Server using SSL technology." (http://www.microsoft.com/isaserver/prodinfo/features.mspx)

In what way can and ISA 2006 do this? How does that differ from other firewalls?

I'm aware that 2003 SP1 supports SSL for RDP, and I've tries it, and it works well, except that anyone can still try to connect using username/password.

I've red Shinders suggestion on publishing a TSweb and publish a rule allowing port 3389 to your TS but I don't see the point with the webpage. A user with a client could just connect directly to the published TS, right? Or did I miss something?

What I would like is to make a publishing rule that authenticates the user BEFORE gaining access to the RDP itself, sort of like a web publishing rule can do.(Pre-authentication in the ISA server). Is that even possible, or is the Feature info on ISA 2006 a bit "Spiced up"? =)

Regards

/Patric
Post #: 1
RE: Secure RDP publishing - 7.Dec.2006 7:34:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Patric,

Spice.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to patos)
Post #: 2
RE: Secure RDP publishing - 1.Jan.2007 10:17:41 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Hey Tom,

How can you get SSL OWA and Terminal SSL working at the same time on ISA 2006??
I created certificates and imported to ISA but how do you configure the listener?

Regards,
Sunny.C

(in reply to tshinder)
Post #: 3
RE: Secure RDP publishing - 2.Jan.2007 10:59:58 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
What's "terminal SSL"?

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Sunny.C)
Post #: 4
RE: Secure RDP publishing - 2.Jan.2007 11:00:25 AM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

what do you mean with Terminal SSL? Assuming you mean http://support.microsoft.com/kb/895433 than keep in mind that SSL/TLS is *not* the same as HTTPS. In this case the protocol is still RDP but protected by TLS. In other words, you still stuck with a server publishing rule and therefore no pre-authentication at the ISA is possible.

However, keep en eye open at TS Gateway in Longhorn. This uses the same technology as Outlook anywhere, that means RPC/HTTPS. For more info, check out http://www.microsoft.com/windowsserver/longhorn/default.mspx.

HTH,
Stefaan

(in reply to Sunny.C)
Post #: 5
RE: Secure RDP publishing - 2.Jan.2007 4:52:06 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Yes i meant Terminal server access using TLS.
My question is if both the OWA and TS as both listening for port 443 requests,
how do you separate the two?
I can not get it working as the both listeners need to publish different public names,
such as ts.domain.com and mail.domain.com.
How do you get around this?

(in reply to spouseele)
Post #: 6
RE: Secure RDP publishing - 2.Jan.2007 5:04:15 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

even if you use TLS to authenticate the server, the protocol used is still RDP, therefore TCP port 3389 by default.

HTH,
Stefaan

(in reply to Sunny.C)
Post #: 7
RE: Secure RDP publishing - 2.Jan.2007 5:27:30 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
So what access you recommend?
I dont think it is possible to get both SSL OWA and TS working at the same time because of certificates that need to go with the listener. Is this right?
WHat you suggest i can do to secure TS?

(in reply to spouseele)
Post #: 8
RE: Secure RDP publishing - 2.Jan.2007 5:41:57 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

as said before you have to use a server publishing rule! So, no web listener and certificate on ISA is needed at all.

HTH,
Stefaan

(in reply to Sunny.C)
Post #: 9
RE: Secure RDP publishing - 2.Jan.2007 6:44:40 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
If i do it that way then that would mean that it's unsecure. 
What can i do to harden it up besides changing ports and having a ristricted access list??? Is there a way on securing using accounts??

(in reply to spouseele)
Post #: 10
RE: Secure RDP publishing - 3.Jan.2007 2:20:45 AM   
patos

 

Posts: 34
Joined: 13.Oct.2006
Status: offline
I belive you're asking if there is a way to make a more secure publish of an TS than standard "port forwarding", and I'm afraid the answer is no. ISA 2006 does not offer anything special when it comes to publishing a TS and I'm afraid. (which was my original question in this thread). MS has been a bit overenthusiastic when mentioning this in their "what's new" sections about ISA 2006.

There is possible for the client however to require pre-authentication (the TLS things you've probably been reading) but this is just to make sure that the server you are connecting to really is the correct server. So it's not a server side security feature so to speak.

I really hope that the secure gateway feature will be released for 2003 as well, but i doubt it.

R
/Patric

(in reply to Sunny.C)
Post #: 11
RE: Secure RDP publishing - 3.Jan.2007 2:27:53 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
hmmm so i guess the only thing we can do to tighten the security a little is change ports and keep a tight access list.
Tom?

(in reply to patos)
Post #: 12
RE: Secure RDP publishing - 3.Jan.2007 3:41:33 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Sunny,

changing the default RDP port won't help you much because that is security through obscurity!

The best way to protect the access is to use a VPN technology. If that isn't possibly than the second best option is to enforce TLS and require SmartCard logon on the TS.

HTH,
Stefaan

(in reply to Sunny.C)
Post #: 13
RE: Secure RDP publishing - 5.Jan.2007 1:29:48 AM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
hmmm i was thinking more along the vpn line but i think it will be to hard for my users as they are all retail stores with young females.

(in reply to spouseele)
Post #: 14
RE: Secure RDP publishing - 7.Jan.2007 9:18:24 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
If there's a way to accomplish what you need to do without RDP, I'd recommend that. RDP is the worst solution, from a security standpoint, possible.

Think about it -- you're given complete machine access to anyone who can log on -- not just a service or a exec, but the entire machine. Ug.

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Sunny.C)
Post #: 15
RE: Secure RDP publishing - 7.Jan.2007 4:43:18 PM   
Sunny.C

 

Posts: 801
Joined: 5.Apr.2005
From: sydney
Status: offline
Yes i am aware of the security risk but that is what is wanted by the managers,
they have been using it that ways for years and they dont want it changed.
I have enforced high level passwords, changed ports and locked down the terminal server as much as i can.
I might see if i can talk them into using IPsec VPN before using RDP, that would be the best solution in this senario right?

(in reply to tshinder)
Post #: 16

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Server Publishing >> Secure RDP publishing Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts