V. Hardening steps to secure remote desktop access. (Enhanced Security Options)
/* The following article is extracted from the "Information Security Newsletter" published by the JUCC IS Task Force. */
1. Consider Using a Firewall
For the network hosting the Terminal Server, it is best practice to use a firewall capable of stateful packet inspection. A firewall capable of stateful packet inspection is more secure because it keeps track of packet requests and closes inbound packet forwarding once the session is finished.
This firewall can be based on either hardware or software, such as a server running Windows Server 2003 with the Internet Connection Firewall (ICF) or Microsoft's Internet Security and Acceleration (ISA) Server 2000. One advantage of using ISA is that it integrates with Microsoft Active Directory service and takes advantage of Windows technology. ISA can also be integrated with Terminal Server by providing and protecting users' access to the Internet using an advanced proxy architecture.
2. Consider Using a VPN tunnel to Secure Terminal Services connections over the Internet
For Terminal Server connections over the Internet, the more secure option is VPN. Although encryption is powerful there is a risk of a "man in the middle" attack because there is no authentication. A VPN tunnel (with L2TP) is more secure because it uses authentication as well as encryption over the internet.
VPN tunnels work by encrypting and encapsulating data over the Internet. There are two tunnelling protocols that are used with VPN, these are PPTP and L2TP. Because PPTP does not provide authentication in the tunnel, it does not add any security to the Terminal Server connection which already provides encryption. The tunnelling protocol you should consider using is L2TP.
3. Consider Using IPSec Policy to Secure Terminal Server Communications
The IPSec can be used to secure Terminal Server connections between computers over your network. IPSec secures and controls the transmission of IP packets. IPSec uses an industry-defined set of standards to verify, authenticate, and optionally encrypt data.
Using IPSec provides mutual authentication between client and server ensures private, secure communications over Internet Protocol (IP) networks, integrity of the contents of IP packets protected by encrypting data, and protection against attacks provided.
To enable IPSec protection for Terminal Services, create an IPSec filter list to match the Terminal Services packets, an IPSec policy to enforce IPSec protection, and then enable the policies -- the Client (respond-only) policy on the Terminal Services clients should be enabled.