0

I have a Windows 2008 Web Edition server with several IPs.
In order to improve security I want to expose only one IP for public services, and use another IP for the administrative ports.

That said, testing has shown me that I can connect to my server's terminal services (using remote desktop connection) with every assigned IP, which is bad.

So for example if the server has these IPs:
172.11.22.51
172.11.22.71
How do I make the terminal services (which listen on port 3389) to listen only on IP 172.11.22.51 ?
Currently it's set to 0.0.0.0 which is "ANY_IP".
Doing so will allow me to run a server application on the other IP (172.11.22.71) only.

That said, I'd be happy if someone tell me how to do so with other services in that OS, if possible, yet the most urgent is the Terminal Service one.

Poni
  • 315
  • 3
  • 14

1 Answers1

0

There isn't a way to configure the native remote desktop service to listen on just a specific IP, just to change the port. You can tunnel it through SSL or SSH, however. Will that work?

Changing listener IP's for other services are service specific. Since you're using Web edition I'm going to assume you'd be interested in IIS:

  1. Open a command prompt
  2. Type in netsh
  3. Type in http
  4. Type show iplisten and verify that nothing comes back (indicating you're listening on all IP's
  5. Type add iplisten ipaddress=172.11.22.51

That will bind your site to 172.11.22.51.

Community
  • 1
squillman
  • 37,883
  • 12
  • 92
  • 146
  • Thanks for the steps to show how to change these stuff for other services although tunnelling through SSL/SSH is less performant than simply blocking access through "Windows Firewall with Advanced Security". – Poni Aug 23 '10 at 14:50