W2K Terminal Server Software Firewall

Archived from groups: comp.security.firewalls (More info?)

I have a Windows 2000 Terminal Server sitting behind a Netscreen
firewall. We would like to allow a few specific inside machines
unrestricted access to the server and all the rest of the inside
machines be allowed to connect with Remote Desktop (port 3389)
but not be able to open any outbound connections within that session.

The RDP users should not be able to copy any files on the server
to another location. Their profiles are set to not give them access to
their local drives within RDP client but they also need to be
blocked from originating outbound ftp, etc. It is okay for
them to print locally.

ZoneAlarm, etc. don't support servers. Black Ice does but
has some usability issues. IPSec doesn't let me block applications
wanting outbound connections does it? Any recommendations?

Thanks
3 answers Last reply
More about terminal server software firewall
  1. Archived from groups: comp.security.firewalls (More info?)

    I guess I don't understand where the NetScreen comes into play here
    since you mention only internal users. Actually, I don't think this is
    even a firewall question. For godsakes, don't put a consumer-grade
    software firewall on a terminal server.

    If you want to go the FW route, the obvious (but expensive) option is
    to install MS ISA server, which can implement firewall policies on a
    per-user basis. I think FW-1 can do this too, but it's been a while, I
    don't quite remember. There might be other firewalls that intergrate
    with AD, but I don't know of them.

    Beyond something that, I don't think you're going to be able to
    selectivly apply a policy like that on a per-user basis. So, you'd
    almost have to find a AD aware, firewall-like product since TCP
    filtering and adjusting routing is done per-machine.

    If I were you, I would lock things down as tightly as I could using
    the native AD policies. Configured properly, they are pretty powerful
    and should suit your needs. If that is not good enough and you
    absolutely must be able to descriminate on a per-user basis at the
    network level, you should probably consider installing a second term
    server to fill that role. Using a firewall to fit this need is like
    using a screwdriver as a hammer.

    Solution #2: Activate TCP port filtering on the NIC to only

    tcheney@soda.pop.upenn.edu (Timothy P. Cheney) wrote in message news:<c4esqf$enmi$1@netnews.upenn.edu>...
    > I have a Windows 2000 Terminal Server sitting behind a Netscreen
    > firewall. We would like to allow a few specific inside machines
    > unrestricted access to the server and all the rest of the inside
    > machines be allowed to connect with Remote Desktop (port 3389)
    > but not be able to open any outbound connections within that session.
    >
    > The RDP users should not be able to copy any files on the server
    > to another location. Their profiles are set to not give them access to
    > their local drives within RDP client but they also need to be
    > blocked from originating outbound ftp, etc. It is okay for
    > them to print locally.
    >
    > ZoneAlarm, etc. don't support servers. Black Ice does but
    > has some usability issues. IPSec doesn't let me block applications
    > wanting outbound connections does it? Any recommendations?
    >
    > Thanks
  2. Archived from groups: comp.security.firewalls (More info?)

    > IPSec doesn't let me block applications
    > wanting outbound connections does it? Any recommendations?

    No, IPsec doesn't have application control.

    But in the link, I know I saw some standalone application that did
    application control using a baseline of the machine like BI does. You'll
    have to look for it. I think I did see something along those lines. That
    utility along with IPsec may do the job for you.

    If you find that utility post back with a link. :)

    http://www.snapfiles.com/freeware/freeware.html

    Duane :)
  3. Archived from groups: comp.security.firewalls (More info?)

    Jamie (qaz_guy@yahoo.com) wrote:
    : I guess I don't understand where the NetScreen comes into play here
    : since you mention only internal users. Actually, I don't think this is
    : even a firewall question. For godsakes, don't put a consumer-grade
    : software firewall on a terminal server.

    I left it vague where the Netscreen comes in because the whole
    environment is kinda hairy. You have this organizational hierarchy
    University>School>Dept>Project.

    University: Runs the network which is wide open. Does not provide
    firewalling at the gateway and will not let you do it yourself.
    Their cost recovery is based on how many static IP addresses you
    are allocated. Coincidentally they ban you from hooking up any
    kind of NAT server.

    School: Has its own domain

    Department: Only way to firewall is to huddle the servers in a room
    and attach the Netscreen to a wall port on the switched ethernet network.
    The users of these servers have their own machines which sitting
    outside wide open network. Needless to say, many of these users
    have local admin rights on their own machines.

    Project: Has a terminal server to be used by 5-10 users.
    It does not belong to the domain. User accounts are to
    be created separately.


    : If you want to go the FW route, the obvious (but expensive) option is
    : to install MS ISA server, which can implement firewall policies on a
    : per-user basis. I think FW-1 can do this too, but it's been a while, I
    : don't quite remember. There might be other firewalls that intergrate
    : with AD, but I don't know of them.

    I will look into AD. I can configure specific accounts to allow
    mapping of local drives in the RDP client and others not to.
    That in combination with using IPSec to allow nothing but Terminal
    Services and DNS client seems to allow me to create the desired
    environment where users can log on and use files and the server but
    not be able to copy them to any other location on the network unless
    that account is enabled to do with local drives in RDP.

    If this approach works then I will look into a small hardware firewall
    that can be configured the same way to dedicate to this server.

    Thanks for the suggestions.
    Cheers,
    Tim
Ask a new question

Read More

Firewalls Terminal Server Networking