0

I need to run a Windows Vista Instance (Ultimate) on a dedicated Server with a dedicated public IP and the Remote Desktop Protocoll enabled. Vista will server as a "small windows" server to run a program via RemoteDesktop only for authenticated users.

What do I have to do, to secure this Vista Installation (after installing it on the server). Is Windows (after doing the updates and having autoupdates enabled) more or less secure by default? What do I have to tweak to make it secure?

It would be kind if you can list the steps I need to do (for example: disable this service and that service, enable the firewall under XYZ...)

Thank you very much! Tim

  • vista will only let you run 1 rdp session. is this what you want? you may have to switch to windows server. Vista is s desktop operating sytem – Nick Kavadias Jan 11 '10 at 14:34

5 Answers5

1

Another thing you can do to make it even more secure is to actually tunnel RDP through SSH.

If you have a router that has an sshd or if the box itself can have something like cygwin installed, you can tunnel the RDP port to the machine you're connecting from and disable open internet access to terminal services entirely.

Example: http://theillustratednetwork.mvps.org/Ssh/RemoteDesktopSSH.html

scraft3613
  • 490
  • 1
  • 5
  • 12
0

Some points:

  • Place the machine in distinct security zone (DMZ) with adequate filtering

  • Forward to the machine only the
    strict necessary ports

  • keep the machine OS and software up to date.

  • Use the strongest authentification
    mecanism that you can.

  • Audit config files changes and failed logons.

That's probably not an exhaustive answer. Anyway hope this helps.

Maxwell
  • 5,076
  • 1
  • 26
  • 31
  • Hello Maxwell. Thanks for your answer! The problem is, that I will (due to the server/network architecture) not be possible to place it in a DMZ or "frontend" firewalled network. The Vista installation will be directly be accessible over the internet via its public IP and I only have the possibility to secure Vista itself... –  Jan 11 '10 at 10:05
0

The firewall is enabled by default. Check it is configured appropriately.

Consider moving RDP to a non default port to minimise the no of casual attacks.

consider automatic account access lockout if too many failed attempts.

pick strong passwords, only allow essential users remote access.

require network level authentication for RDP sessions if you're sure all the potential clients support it.

I run an XP machine in this situation, and it's survived for several years without compromise, so don't be excessively concerned.

xenny
  • 800
  • 4
  • 8
  • Hello Xenny. Great posting, thanks. It contained several very helpful information. –  Jan 11 '10 at 13:50
0

Adding to the other excellent answers:

  • As far as I recall, automatic lock-out will not prevent brute-forcing any administrator accounts with tools like TSGrinder as they cannot be locked out when interactively used (which remote desktop counts as). So make sure administrator accounts are explicitly denied access by removing them from the allowed remote logon list. See this neat old XP article about securing Remote Desktop for XP for some examples on how to do this and other useful things.

  • Require the highest encryption level (FIPS-grade) is tedious but well worth it, and your Vista SKU seems to support it according to this rather detailed article: Connect securely to Windows Vista Remote Desktop.

Community
  • 1
Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
0

I think you should harden the IP Stack following some Microsoft's recommandations.

You should see on MSDN website for more informations about hardened IP Stack.

Dr I
  • 955
  • 17
  • 33