Planning Network Security Components
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use firewalls and smart cards with Terminal Server to increase security. Use the information in the following sections to help you plan for the use of these security components in your environment. You also need to carefully choose the file system you plan to use with Terminal Server.
Using Firewalls with Terminal Server
If your organization uses a firewall for security and if you need clients to connect from the other side of the firewall, keep port 3389 open for RDP connections between the client and server and implement filter rules to ensure this traffic can reach only the terminal servers. This is not necessary if you use PPTP, L2TP, or other VPN technologies to tunnel through the firewall, because the port will be available through the tunnel, without being explicitly closed by the firewall. If you are using the Remote Desktop Web Connection, you must also check to be sure that port 80 is open.
You can change the RDP port if necessary, but you must apply the modification to both the server and clients. However changing the RDP port, for example to a well known and already open port such as 80, makes separation, identification, and audit of RDP traffic much more difficult. For more information about changing the RDP port, see article 187623, "How to Change Terminal Server’s Listening Port" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
For best results, use a firewall that uses user-based authentication. This is especially important for secure access over a WAN, because a firewall that grants access based on an IP address (rather than based on user credentials) allows users through if the IP address of the server running Terminal Services has been granted access. For more information, see "Planning Network Connectivity and Bandwidth" earlier in this chapter.
Determine if the firewall used in your organization is a packet-level or application-level firewall. Packet-level firewalls are easier to configure for new protocols. If your organization uses an application-level firewall, check to see if the vendor has defined a filter for the RDP.
Using NTFS with Terminal Server
Because of the multiuser nature of Terminal Services, it is strongly recommended that you use the Windows Server 2003 version of NTFS as the only file system on the server, rather than file allocation table (FAT). FAT does not offer any user and directory security, whereas with NTFS you can limit subdirectories to certain users or groups of users. This is important in a multiuser system such as Terminal Services. Without the security that NTFS provides, any user has access to every directory and file on the terminal server. For more information about file systems, see "Designing and Deploying File Servers" in this book.
Using Smart Cards with Terminal Server
With Windows Server 2003, you can now enable users to log on to a remote session in an Active Directory domain using a smart card. Smart cards allow you to require strong credentials from users in a manageable way, providing a more secure environment.
To use smart cards with Windows Server 2003 Terminal Server, you must have Active Directory® directory service deployed in your organization and your client computers must be running a Microsoft client operating system with built-in smart card support, such as Windows XP or Windows 2000, or most devices running Microsoft®Windows® CE .NET. You must also install smart card readers on the client computers.
Otherwise, deploying smart cards for use with Windows Server 2003 Terminal Server is the same as deploying smart cards that will not be used with Terminal Server. For more information see "Planning a Smart Card Deployment" in the Designing and Deploying Directory and Security Services book of this kit.