Enhance Terminal Service Security

Source: 315 safe

Windows 2000 Terminal Services are favored by many administrators due to their ease of use and convenience. It is an important tool for many administrators to remotely manage servers. Then, because of its simplicity and convenience, it does not generate an interactive login with the current user. It can be logged on to the background, and it is also noticed by hackers. Now we can enhance its security through careful configuration.
1. Modify the Terminal Service port
Modify the Registry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
And HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWdsdpwdTdscp

Change the portnumber key value under the two branches to the port you want.

Connect to the client in this way.


2. Hide login Username
Hiding the username of the Last Logon prevents malicious attackers from cracking the system by obtaining the administrative username.
HKEYhtml # "target = _ blank> _ LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon
Change the value of DontDisplayLastUserName to 1.

3. Specify user login.
To ensure security, we do not need to allow all users on the server to log on. For example, we only allow the 315safe user to log on to the terminal server as follows:



In administrative tools --- terminal service configuration --- connect, select Properties for the RDP-TCP on the right, find the permission option, delete the administrators group, then add the user 315safe that we allow. login is not allowed for other users.

4. Launch Review

Terminal Service has no logging by default and needs to be enabled manually. In the properties of RDP-TCP, locate the permission option under advanced with an audit add everyone, select the event to be recorded.



Terminal service logs in the event viewer are incomplete. Next we will improve the terminal server log.


Under the d directory, create two files: ts2000.BAT (script file that is run when the user logs on) and ts2000.LOG (log file ).

Compile the "ts2000.BAT" script file:

Time/t> ts2000.log
Netstat-n-p tcp | find ": 3389"> ts2000.log
Start Explorer

The first line of code is used to record the User Logon time. "time/t" indicates that the system time is returned, use the append symbol ">" to record the time in "ts2000.LOG" as the log time field. The second line of code records the IP address of the end user, "netstat" is a command used to display the current network connection status. "-n" is used to display the IP address and port, and "-p tcp" shows the TCP protocol, the pipeline symbol "|" will output the result of the "netstat" command to the "find" command, and then find the line containing "3389" from the output result, finally, redirect the result to the log file "ts2000.LOG". The last line is the command to start Explorer.

Set "ts2000.BAT" to your logon script. On the terminal server, go to the "RDP-Tcp properties" window, switch to the "Environment" box, and select "replace user configuration file and Remote Desktop Connection or terminal service client Settings ", enter "D: s2000.bat" in the "program path and file name" column, enter "D:" in the "Start position" column, and click "OK" to complete the settings. At this point, we can learn the whereabouts of each user through the terminal service log.


5. Restrict and specify the connection terminal address

Enable the server's built-in IPSEC to specify a specific IP address to connect to the server.
First, disable all 3389 connections.



1. In "Local Security Policy", select "IP Security Policy, on the local machine", right-click the blank area on the right, and click "create IP Security Policy". Next, after you name a policy (such as 3389), if you do not select "Activate default response rule", the system will open a dialog box that shows the attributes of the newly created policy (3389.
2. Add a new rule. The "IP Filter list" is displayed, and its name is all_3389. If you do not select "use add wizard", click "add ". Press "OK" and "close" to return to the "new rule" attribute window, select the newly set rule "all_3389", and then press the "filter operation" option, there is no "block" in "filter operation". We create a block. Select "use add wizard" or press "add". In the displayed dialog box, select "Block" in "security measures.






Press "regular" and give him a name in "name", for example, "Block 3389", and then return to "filter operation" of "attribute" of "new rule, select block 3389, and then press close to return to the Local Security Settings dialog box at the beginning. Select 3389 and assign it. In this way, all machines cannot connect to our terminal server.








3. The server is also placed out. Next we will create a rule that only allows connections from machines trusted by the server, such as 219.139.240.90. we open the "3389" attribute, do not select "use add wizard", Press "add" to open the "new rule" attribute, and then press "add" to display the "IP Filter list ", name it "OK _3389". If you do not select the Add wizard, press "add". The "filter" attribute appears and the "Addressing" option is set.

Set TCP and 3389 in the protocol, and select "allow" in "filter operation". In this way, no machine except the one we trust can log on to the terminal server. It can also be set as a trusted machine of the gateway. In this way, the terminal server is much more secure.