Stopping MSTSC access across VLANs

[ICTNUT]

Hi All after getting my VLANs up and running with each core switch now having at least 4 redunudant links to it I now turn my attention to further locking down vlans.

Now the subnets are working fine in that vlan 2 (Staff) cannot see vlan 3 (Students) and vice versa, this is good, you can however still launch mstsc (RDP) to the servers from either of these VLANS and there is a route through to the servers, there has to be !

Anyone know the best way of restricting this? Yes i kinow that you have tobe a member of the admins group to get access but if the username and password is compromised I am trying to reduce the attack window by only allowing mstsc access from within VLAN 1 only ie.e the server room, comms room, or my office.

Thanks in advance

[Geoff]

RDP runs over TCP port 3389. Firewall it.

[ICTNUT]

Yes i thought of that and on VLAn 2 that would be great, in fact i'll do that now however on VLAN 3 (students) I have a number of thin clients and these would effectivly stop working and that would be an issue....

[Geoff]

If you sit a real physical firewall device (say a Linux box) between your servers and your clients you can selectively pick and choose which RDP traffic to allow/deny based on destination IP.

[andyrite]

Put an ACL on the vlan. Only allow rdp from the Thinclients to the servers. Deny the rest of the hosts.

[OutLawTorn]

Change the RDP port on any servers you want locked down... that way when you remote desktop into them, you can tell it to connect on the other port....

[ICTNUT]

AndyRite had it spot on, the HP switches I am using allow you to setup ACLs on the VLANs themselves in order to control the flow of traffic.

I simply added an ACL to deny 3389/TCP to anydestination apart from the terminal server. Tested both VLAn 2 and 3 and it works.

One happy bunny here

[Andi]

I would like to do the opposite, kind of.

I want to separate the boarding houses onto their own VLAN and only allow RDp traffic from that network to our terminal server so that the boys can logon and get access to their documents that way.

If I'm feeling generous then maybe I'll allow them port 80 so that they can use internet directly from their laptops, but I have a feeling that this will get abused with http downloads flooding the network.

Is there a way do do this?

[SYNACK]

I would like to do the opposite, kind of.

I want to separate the boarding houses onto their own VLAN and only allow RDp traffic from that network to our terminal server so that the boys can logon and get access to their documents that way.

If I'm feeling generous then maybe I'll allow them port 80 so that they can use internet directly from their laptops, but I have a feeling that this will get abused with http downloads flooding the network.

Is there a way do do this?

Yes if your router supports it like the hp one in this thread you can use an ACL (Access Control List) to specify allow and deny rules that apply to traffic two and from a router interface. In your example you would allow access to DNS to your internal DNS server (to resolve the hostnames), DHCP, http to your router/gateway and RDP to the specific servers that you want them to have access to. You then add a deny any rule to the end which will deny any traffic that does not meet this criteria from traversing between your subnets.