Alteration in Terminal Server's Listening Port

As I have described earlier about Application Server Security that is securing your Terminal Servers now will describe how to alter listening port of your Server.

It is a well-known fact that TCP port 3389 is used by Terminal Server and Windows 2000 Terminal Services for client connections. Alteration in this port is not recommended by Microsoft. But you can change this port. You have to perform this task carefully, otherwise you will face serious problems.

• You have to give more concentration while modifying the registry. If you want to change the default port, then you have to follow these steps:


• You start with the task of running Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.


• Then you have to find the port number subkey and notice the value of 00000D3D, hex is for 3389.


• After this, you have to change the port number in Hex and save the new value

If you want to change the port for a particular connection on the Terminal Server, then follow these steps:

• You have to run Regedt32 and go to this key, HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\connection.


• After this, you have to find the port number subkey and notice the value of 00000D3D, here hex is for 3389.


• Then you have to change the port number in Hex and save this new value.


• After performing this, you have to make alteration in the Port on the Client Side.

Follow these steps to perform this:

• You have to open Client Connection Manager.


• Then on the File menu, click on New Connection and then create the new connection. After executing the wizard, you will view a new connection listed there.


• Then you have to ensure that new connection is highlighted. After this, on the File menu, click Export.


• Then you have to edit the .cns file using Notepad. You have to make modifications in the server port, Server Port=3389 to Server Port= new port number, that you had specified on Terminal Server.


• Now import the file back into Client Connection Manager. Then you will be demanded to overwrite the current one.


• If it has the same name, then overwrite it.

In this way, you will receive a client that has the correct port settings to match your Terminal Server settings. Hope it will help you out, Don’t Forget to subscribe to my blog for more tips and tricks on server and Microsoft Server Support Services

How to Apply Security on a Windows Server 2003-based cCuster Server

1. You must test the deployment of a security template in a lab environment before you deploy it in a production environment if the following conditions are true:
* The Default Domain Policy setting has been changed.
* The cluster server nodes already exist in the domain.
* The cluster server nodes have received domain policies from a Group Policy object (GPO).
Typically, GPOs are implemented by making changes to registry keys on the computers where these GPOs are applied. Many of the changes to the registry that are made by a GPO are not removed or returned to their default settings if the GPO is no longer applied. Therefore, even when a GPO is no longer applied, this does not guarantee that the effects of the GPO are successfully reversed.

2. Before you configure the Domain policies on your computer to use the No Override option, you must determine how the reconfigured Domain policies will affect the cluster server nodes. Typically, reconfigured Domain policies affect the cluster server nodes in several ways. For example, if you configure the Domain policies on your computer to use the No Override option, the No Override option may generate the following behavior:
* User rights that the cluster service account needs are removed.
* The cluster service account is removed from the local administrators group because of a Restricted Groups policy.
* Strict LAN Manager authentication levels are implemented.
* More restrictive remote procedure call (RPC) authentication policies are imposed.

3. If the No Override option is not configured for use by the Domain policies, you must configure a separate organizational unit (OU) for the cluster server nodes with inheritance blocked. If inheritance is blocked, policies from the domain are not applied to the OU. If the No Override option is selected on a domain level policy, the setting on the OU has no effect.

4. Before you join the cluster server nodes to the domain, you must pre-stage the computer accounts in an OU where inheritance is blocked. This prevents the cluster server nodes from picking up policies that are applied to the default Computers container in the Active Directory directory service.

Note You must not modify the default cluster OU policy now.

5. After you have joined the cluster server nodes to the domain, you must configure and verify the basic cluster server functionality. Then, you must apply more restrictive security settings by using the security template. Alternatively, configure an OU GPO, and then import the template after you make modifications and export the template.

Note We recommend that you do not modify the default GPO for a container. Create a new policy instead. Modify the new policy that you have created, or import a security template into this new policy.

6. Before you install an additional cluster resource or individual program, you must confirm that the cluster functionality works correctly with the security settings that you have applied. Additionally, you must review the security guidelines and the hardening procedures of each cluster server resource and of each program that you want to install.

For example, to view the Microsoft Exchange Server 2003 Security Hardening Guide, visit the following Microsoft TechNet Web page:

7. Apply the hotfix that is described in the following Knowledge Base article to each cluster server node before you apply the security settings that are included in the template:
890761 (http://support.microsoft.com/kb/890761/ ) You receive an "Error 0x8007042b" error message when you add or join a node to a cluster if you use NTLM version 2 in Windows Server 2003
Notes
* Hotfix 890761 is included in Windows Server 2003 Service Pack 1.
* If Hotfix 890761 is not applied to the cluster server nodes, you must modify both the LAN Manager authentication process and RPC security in the security template.

8. After you apply the hotfix that is described in step 7, load the template into the Security Configuration and Analysis snap-in. Then, verify the configuration and the functionality of each cluster server node.

9. After you complete step 8, you may have to change the Cluster Service and Distributed Transaction Coordinator Service settings in the template. Both of these settings are set to Disabled in the template. Reset them to Enabled. The Distributed Transaction Coordinator Service setting is specifically mentioned here because this service frequently must be clustered.

10. Restart the cluster servers. The cluster server services now function correctly.

Source: http://support.microsoft.com/kb/891597

Enhance Terminal Services Gateway Security with ISA Server 2006

Following on the success of Outlook Anywhere in Exchange Server 2007, Windows Server 2008 in turn delivers the capability to access your desktop from anywhere in a secure and controlled manner.

The new Terminal Server Gateway service (TS Gateway) in Windows Server 2008 offers the flexibility of Windows® Terminal Server Services plus the ability to connect to a Terminal Server from anywhere over an HTTP connection. This service uses Remote Desktop Protocol (RDP) over HTTPS (SSL) to increase security while providing a single client interface for accessing Terminal Services resources.



This new TS Gateway service offers significant benefits to those who need to access their computers remotely:

* No need to establish a Virtual Private Network (VPN) session prior to connecting to internal resources using RDP.
* Enhanced security using Network Access Protection (NAP) and Windows Security Health Checks to control RDP connections.
* No need to open TCP port 3389 inbound to enable more secure Web publishing through firewalls.

You can use Microsoft Internet Security and Acceleration Server 2006 to enhance the security of TS Gateway service while allowing external access to internal resources. You can set up an SSL-to-SSL bridging scenario in which ISA Server 2006 receives requests and passes them to the internal TS Gateway service, also using HTTPS. While bridging the request, the ISA firewall decrypts the SSL communications and performs application-layer inspection.

If the HTTP protocol stream passes inspection, then the communication is re-encrypted and forwarded to the Terminal Services proxy. If the protocol stream fails inspection, the connection is dropped.

For Detail Information visit: http://technet.microsoft.com/en-us/magazine/2008.09.tsg.aspx

Source: http://blogs.windowsecurity.com/shinder/2009/01/14/enhance-ts-gateway-security-with-isa-server-2006/