In light of some recent worms I'm looking at ways to further restrict access to terminal services on my public facing Win2k3 server. Are firewall IP address restriction is not an option as the genuine clients are all on dynamic addresses.

It seems the most likely option is to set up IPSec VPN functionality on the server. That looks like it will involve a bit of fiddling around so I thought I'd check if anyone else has any experience doing this and whether or not IPSec is actually the simplest and lightest approach?

  • 78,442
  • 20
  • 178
  • 229
  • 218
  • 1
  • 7
  • What worms are you referring to? How were you affected by said worms? – joeqwerty Aug 31 '11 at 12:36
  • Got this in the post from Amazon http://aws.amazon.com/security/security-bulletins/morto-worm-spreading-via-remote-desktop-protocol. I wasn't affected just want to take some precautions over and above strong passwords. I'd prefer to avoid the brute force attempts polluting my event logs. – sipsorcery Aug 31 '11 at 13:08

2 Answers2


Outside of a VPN solution which is the best solution obviously.

I have had clients in the past that insist on the best security possible for no money, LOL, seems redicules eh.

Anyway, aside from very strong passwords as you say, change the port number that Terminal Server listens to. Everyone knows port 3389 is Terminal Server so change it to something obscure, you can then close that port on their firewall and open the new one, make it something rediculesly high in the port range like 9000 that way it does not get scanned during a simple port scan from outside your network.

Afterwards go here https://www.grc.com/x/ne.dll?bh0bkyd2 and run the test, your should not see your terminal servers port on the list, hopefully you see nothing except your mail server if you have one

  • 745
  • 3
  • 9
  • I already had an SSH service running so I closed port 3389 and used an SSH tunnel to connect. However that's not adding anything extra except obscuring the port. Looks like the IPSec VPN is what I should be looking at. – sipsorcery Aug 31 '11 at 23:57
  • Agreed, the VPN is definitely the best solution. ;) – Tom Sep 01 '11 at 05:10

Take a look at setting up a "Terminal Services Gateway" or I think server 2008R2 calls it Remote Desktop Gateway. You setup an Internet facing IIS server to act as a gateway preferably in a DMZ off your firewall. Clients contact the server securely over HTTPS, secured with a certificated signed by a trusted public certificate authority. This server can in turn check against a policy server on (or what) is allowed to connect and can even do a health check to qualify what kind of RDP session is allowed, and it then pipes the RDP to the real destination server. You could have a policy that says only domain machines, or machines with a certificate you exported are allowed to connect.

FYI, this solution takes time, effort, and probably a little money, but it's EXTREMELY useful. Not compatible with the Mac OSX RDP client from Microsoft as of 6 months ago.

  • 8,733
  • 1
  • 23
  • 35
  • Yes I've seen that working in the past. If I recall correctly the solution also supports a terminal service client that runs as a browser plugin which can be handy. It will be too much in cost and effort for me though. I don't want to purchase an additional server or upgrade my existing Win2k3 one to Win2k8R2. – sipsorcery Sep 01 '11 at 00:18