Securing a TS2log server
Overview
Securing any server is a never-ending story where every expert could add another chapter.
TS2log benefits is that it is compatible with existing security infrastructure in a company (Active Directory, GPOs, HTTPS servers, SSL or SSL telecommunication systems, VPN, access control with or without ID cards, etc).
For customers who want to easily secure their servers, TS2log offers a set of simple and effective ways to enforce good levels of security.
Changing the RDP port number and setting up the firewall
With the AdminTool, you can select a different TCP/IP port number for the RDP service to accept connections. The default one is 3389.
You can choose any arbitrary port, assuming that it is not already used on your network and that you set the same port number on your firewalls and on each TS2log user access programs.
TS2log includes a unique port forwarding and tunneling capability: regardless the RDP port that has been set, the RDP will also be available on the HTTP and on the HTTPS port number!
If users want to access your TS2log server outside from your network, you must ensure all incoming connections on the port chosen are forwarded to the TS2log server. On the Server tab, click on the "Change RDP Port" tile :
Server side security options
The AdminTool allows you to deny access to any user that is not using a TS2log connection client generated by the administrator.
In this case, any user that would attempt to open a session with any Remote Desktop client other than the TS2log one (assuming he has the correct server address, the port number, a valid logon and a valid password) will be disconnected automatically.
The administrator can decide that only members of the Remote Desktop User group will be allowed to open a session.
The administrator can decide that a password is mandatory to open a session.
Through setting the applicable local Group Policy, the administrator can specify whether to enforce an encryption level for all data sent between the client and the remote computer during a Terminal Server Services session.
If the status is set to Enabled, encryption for all connections to the server is set to the level decided by the administrator. By default, encryption is set to High.
The administrator can also set as a rule that only users with a TS2log connection client will be able to open a session.
Any incoming access with a standard RDP or a web access will be automatically rejected.
Hiding the server disk drives:
The AdminTool includes a tool that enables hiding the server disk drives to prevent users from accessing folders through My Computer or standard Windows dialog boxes. On the Security tab, click on "Hide Disk drives" :
This tool works globally. This means that even the administrator will not have a normal access to drives after the settings have been applied. On the example below, all drivers have been selected with the "select all" button, which will check all the boxes corresponding to drives that will be hidden to everybody:
Notes: This functionality is powerful and does not disable the access to the disk drives. It just prevents the user to display it.
The tool flags the disks drives as hidden, but it also adds the HIDDEN property to the entire root folders and users list in Document and Settings.
If the administrator wants to see these files, he must:
- Type the disk drive letter. For example: D:\
which will take you to the D: drive. - Turn on the SHOW HIDDEN FILES AND FOLDERS option in the folder view properties.
Advanced security options
You can find multiple advanced security options if you click on the Security tile:
