Sign in with
Sign up | Sign in
Your question

W2K Terminal Server Software Firewall

Last response: in Networking
Share
Anonymous
March 31, 2004 8:49:19 PM

Archived from groups: comp.security.firewalls (More info?)

I have a Windows 2000 Terminal Server sitting behind a Netscreen
firewall. We would like to allow a few specific inside machines
unrestricted access to the server and all the rest of the inside
machines be allowed to connect with Remote Desktop (port 3389)
but not be able to open any outbound connections within that session.

The RDP users should not be able to copy any files on the server
to another location. Their profiles are set to not give them access to
their local drives within RDP client but they also need to be
blocked from originating outbound ftp, etc. It is okay for
them to print locally.

ZoneAlarm, etc. don't support servers. Black Ice does but
has some usability issues. IPSec doesn't let me block applications
wanting outbound connections does it? Any recommendations?

Thanks
March 31, 2004 10:27:49 PM

Archived from groups: comp.security.firewalls (More info?)

I guess I don't understand where the NetScreen comes into play here
since you mention only internal users. Actually, I don't think this is
even a firewall question. For godsakes, don't put a consumer-grade
software firewall on a terminal server.

If you want to go the FW route, the obvious (but expensive) option is
to install MS ISA server, which can implement firewall policies on a
per-user basis. I think FW-1 can do this too, but it's been a while, I
don't quite remember. There might be other firewalls that intergrate
with AD, but I don't know of them.

Beyond something that, I don't think you're going to be able to
selectivly apply a policy like that on a per-user basis. So, you'd
almost have to find a AD aware, firewall-like product since TCP
filtering and adjusting routing is done per-machine.

If I were you, I would lock things down as tightly as I could using
the native AD policies. Configured properly, they are pretty powerful
and should suit your needs. If that is not good enough and you
absolutely must be able to descriminate on a per-user basis at the
network level, you should probably consider installing a second term
server to fill that role. Using a firewall to fit this need is like
using a screwdriver as a hammer.

Solution #2: Activate TCP port filtering on the NIC to only

tcheney@soda.pop.upenn.edu (Timothy P. Cheney) wrote in message news:<c4esqf$enmi$1@netnews.upenn.edu>...
> I have a Windows 2000 Terminal Server sitting behind a Netscreen
> firewall. We would like to allow a few specific inside machines
> unrestricted access to the server and all the rest of the inside
> machines be allowed to connect with Remote Desktop (port 3389)
> but not be able to open any outbound connections within that session.
>
> The RDP users should not be able to copy any files on the server
> to another location. Their profiles are set to not give them access to
> their local drives within RDP client but they also need to be
> blocked from originating outbound ftp, etc. It is okay for
> them to print locally.
>
> ZoneAlarm, etc. don't support servers. Black Ice does but
> has some usability issues. IPSec doesn't let me block applications
> wanting outbound connections does it? Any recommendations?
>
> Thanks
Anonymous
April 1, 2004 4:22:42 AM

Archived from groups: comp.security.firewalls (More info?)

> IPSec doesn't let me block applications
> wanting outbound connections does it? Any recommendations?

No, IPsec doesn't have application control.

But in the link, I know I saw some standalone application that did
application control using a baseline of the machine like BI does. You'll
have to look for it. I think I did see something along those lines. That
utility along with IPsec may do the job for you.

If you find that utility post back with a link. :) 

http://www.snapfiles.com/freeware/freeware.html

Duane :) 
Anonymous
April 2, 2004 7:31:56 AM

Archived from groups: comp.security.firewalls (More info?)

Jamie (qaz_guy@yahoo.com) wrote:
: I guess I don't understand where the NetScreen comes into play here
: since you mention only internal users. Actually, I don't think this is
: even a firewall question. For godsakes, don't put a consumer-grade
: software firewall on a terminal server.

I left it vague where the Netscreen comes in because the whole
environment is kinda hairy. You have this organizational hierarchy
University>School>Dept>Project.

University: Runs the network which is wide open. Does not provide
firewalling at the gateway and will not let you do it yourself.
Their cost recovery is based on how many static IP addresses you
are allocated. Coincidentally they ban you from hooking up any
kind of NAT server.

School: Has its own domain

Department: Only way to firewall is to huddle the servers in a room
and attach the Netscreen to a wall port on the switched ethernet network.
The users of these servers have their own machines which sitting
outside wide open network. Needless to say, many of these users
have local admin rights on their own machines.

Project: Has a terminal server to be used by 5-10 users.
It does not belong to the domain. User accounts are to
be created separately.


: If you want to go the FW route, the obvious (but expensive) option is
: to install MS ISA server, which can implement firewall policies on a
: per-user basis. I think FW-1 can do this too, but it's been a while, I
: don't quite remember. There might be other firewalls that intergrate
: with AD, but I don't know of them.

I will look into AD. I can configure specific accounts to allow
mapping of local drives in the RDP client and others not to.
That in combination with using IPSec to allow nothing but Terminal
Services and DNS client seems to allow me to create the desired
environment where users can log on and use files and the server but
not be able to copy them to any other location on the network unless
that account is enabled to do with local drives in RDP.

If this approach works then I will look into a small hardware firewall
that can be configured the same way to dedicate to this server.

Thanks for the suggestions.
Cheers,
Tim
!