Securing a Terminal Service Plus server
SECURING A TERMINAL SERVICE PLUS SERVER
Securing any server is a never-ending story where every expert could add another chapter.
TSplus benefits from and is compatible with existing security infrastructure in a company (Active Directory, GPOs, HTTPS servers, SSL or SSL telecommunication systems, VPN, access control with or without ID cards, etc). For customers who want to easily secure their servers, TSplus offers a set of simple and effective ways to enforce good levels of security.
CHANGING THE RDP PORT NUMBER AND SETTING UP THE FIREWALL
With the AdminTool, you can select a different TCP/IP port number for the RDP service to accept connections on. The default one is 3389.You can choose any arbitrary port, assuming that it is not already used on your network and that you set the same port number on your firewalls and on each TSplus user access programs.
TSplus includes a unique port forwarding and tunnelling capability: regardless the RDP port that has been set, the RDP will also be available on the HTTP and on the HTTPS port number!
If users want to access your TSplus server outside from your network, you must ensure all incoming connections on the port chosen are forwarded to the TSplus server. On the Server tab, click on the “Change RDP Port” tile:
SERVER SIDE SECURITY OPTIONS
The AdminTool allows you to deny access to any user that is not using a TSplus connection program generated by the administrator. In this case, any user that would attempt to open a session with any Remote Desktop client other than the TSplus one (assuming he has the correct server address, the port number, a valid logon and a valid password) will be disconnected automatically.
The administrator can decide that only members of the Remote Desktop User group will be allowed to open a session.
The administrator can decide that a password is mandatory to open a session.
Through setting the applicable local Group Policy, the administrator can specify whether to enforce an encryption level for all data sent between the client and the remote computer during a Terminal Services session. If the status is set to Enabled, encryption for all connections to the server is set to the level decided by the administrator. By default, encryption is set to High.
THE ADMINISTRATOR CAN DECIDE TO SET A FIREWALL ON THE USER PC NAMES.
Only the PCs that are listed on the UsersPCnamelist.ini file located on the Pc names firewall on the Security tile (or on the folder /Program Files(x86)/TSplus/UserDesktop/files/) are able to open a session:
Any other PC, even with a valid logon/password, will be rejected.
The administrator can also set as a rule that only users with a TSplus connection client will be able to open a session. Any incoming access with a standard RDP or a web access will be automatically rejected.
HIDING THE SERVER DISK DRIVES:
The AdminTool includes a tool that enables hiding the server disk drives to prevent users from accessing folders through My Computer or standard Windows dialog boxes. On the Security tab, click on “Hide Disk drives”:
The tool works globally. This means that even the administrator will not have a normal access to drives after the settings have been applied. On the example below, all drivers have been selected with the “select all” button, which will check all the box corresponding to drives that will be hidden to everybody:
Notes: This functionality is powerful and does not disable the access to the disk drives. It just prevents the user to display it.
The tool flags the disks drives as hidden, but it also adds the HIDDEN property to the entire root folders and users list in Document and Settings. If the administrator wants to see these files he must:
- Type the disk drive letter. For example: D:\ which will take you to the D:
- Turn on SHOW HIDDEN FILES AND FOLDERS in the folder view
ADVANCED SECURITY OPTIONS
You can find multiple advanced security options if you click on the tab of the same name on the Security tile:
ADMINISTRATOR PIN CODE
The Administrator can secure the Administrator Tool access by setting a pin code which will be asked at every start:
TSPLUS ACCESS PROGRAM SECURITY OPTIONS:
The TSplus client generator gives the capability to lock the TSplus client to:
- A specific PC name. It means this program will not be able to start from any other PC.
- A physical drive serial number (PC HDD or USB stick). This is a very easy and powerful way to set a high
level of security. The only way to connect is with a specific client, and this specific client can only start on a specific USB stick or PC HDD. Some of our customers are delivering fingerprint-reading USB sticks to each of their users and each generated program is locked to the device serial number.
This way, they can restrict access to the client’s program itself, as well as ensuring it cannot be copied off the USB stick and used elsewhere.