Hi. Terminal Server it's one of the harder thing to hardening :-)
Good start you can find here
http://www.nsa.gov/snac/win2k/guides/w2k-19.pdf
Some additional recommendations (quote from
http://infosec.uninet.edu/infosec2003/talk/offtopic-20030618.html)
"We will do some additional settings to deny users access to MSGINA.DLL
(to prevent DoS) and access to networking and administrative utilities.
We can limit access to wininet.dll, wsock32.dll, ws2_32.dll &
netapi.dll.
To allow only selected applications to work we will place copies of
these DLLs in application directories (we should care about
explorer.exe, because it requires these DLLS, but best solution is to
set Internet Explorer, iexplore.exe, as a start application).
In addition, we have to secure users profiles to deny files execution
from these directories (.lnk in start menu and on the desktop needs no
Execute permission to work).
This will prevent accidental launch of untrusted executables by user.
Next, we should grant "Logon Locally" and "Access this computer from
Network" rights only to users who actually need this access. "
In W2K3 you can user Software Restrictions Policies for prevent launch
of untrusted executables.
Etc... etc.. etc...
-----Original Message-----
From: Dominique Hoffman [mailto:hoffmand (at) calib (dot) com [email concealed]]
Sent: Thursday, January 29, 2004 1:10 AM
To: Al Morro; Len Parkhurst
Subject: terminal server
Hi,
My company needs to implement a remote access solution for our users.
Our windows admins want to implement Microsoft Win. Terminal server
2003. Does anyone know how safe this is and/or any documentation out
there or white paper about MS Term. Server security? and if not, what
would be an appropriate solution to enable our users to access our
network without getting a pricey VPN suite.
Good start you can find here
http://www.nsa.gov/snac/win2k/guides/w2k-19.pdf
Some additional recommendations (quote from
http://infosec.uninet.edu/infosec2003/talk/offtopic-20030618.html)
"We will do some additional settings to deny users access to MSGINA.DLL
(to prevent DoS) and access to networking and administrative utilities.
We can limit access to wininet.dll, wsock32.dll, ws2_32.dll &
netapi.dll.
To allow only selected applications to work we will place copies of
these DLLs in application directories (we should care about
explorer.exe, because it requires these DLLS, but best solution is to
set Internet Explorer, iexplore.exe, as a start application).
In addition, we have to secure users profiles to deny files execution
from these directories (.lnk in start menu and on the desktop needs no
Execute permission to work).
This will prevent accidental launch of untrusted executables by user.
Next, we should grant "Logon Locally" and "Access this computer from
Network" rights only to users who actually need this access. "
In W2K3 you can user Software Restrictions Policies for prevent launch
of untrusted executables.
Etc... etc.. etc...
-----Original Message-----
From: Dominique Hoffman [mailto:hoffmand (at) calib (dot) com [email concealed]]
Sent: Thursday, January 29, 2004 1:10 AM
To: Al Morro; Len Parkhurst
Subject: terminal server
Hi,
My company needs to implement a remote access solution for our users.
Our windows admins want to implement Microsoft Win. Terminal server
2003. Does anyone know how safe this is and/or any documentation out
there or white paper about MS Term. Server security? and if not, what
would be an appropriate solution to enable our users to access our
network without getting a pricey VPN suite.
Appreciate any feedback.
Thank you.
Dom.
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]