+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Stopping MSTSC access across VLANs in Technical; Hi All after getting my VLANs up and running with each core switch now having at least 4 redunudant links ...
  1. #1
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62

    Stopping MSTSC access across VLANs

    Hi All after getting my VLANs up and running with each core switch now having at least 4 redunudant links to it I now turn my attention to further locking down vlans.

    Now the subnets are working fine in that vlan 2 (Staff) cannot see vlan 3 (Students) and vice versa, this is good, you can however still launch mstsc (RDP) to the servers from either of these VLANS and there is a route through to the servers, there has to be !

    Anyone know the best way of restricting this? Yes i kinow that you have tobe a member of the admins group to get access but if the username and password is compromised I am trying to reduce the attack window by only allowing mstsc access from within VLAN 1 only ie.e the server room, comms room, or my office.

    Thanks in advance

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    RDP runs over TCP port 3389. Firewall it.

  3. #3
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    Yes i thought of that and on VLAn 2 that would be great, in fact i'll do that now however on VLAN 3 (students) I have a number of thin clients and these would effectivly stop working and that would be an issue....

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    If you sit a real physical firewall device (say a Linux box) between your servers and your clients you can selectively pick and choose which RDP traffic to allow/deny based on destination IP.

  5. Thanks to Geoff from:

    ICTNUT (31st July 2008)

  6. #5
    andyrite's Avatar
    Join Date
    Apr 2007
    Posts
    412
    Thank Post
    7
    Thanked 90 Times in 71 Posts
    Rep Power
    41
    Put an ACL on the vlan. Only allow rdp from the Thinclients to the servers. Deny the rest of the hosts.

  7. Thanks to andyrite from:

    ICTNUT (31st July 2008)

  8. #6
    OutLawTorn's Avatar
    Join Date
    Jul 2007
    Location
    Sydney, Australia
    Posts
    216
    Thank Post
    8
    Thanked 8 Times in 8 Posts
    Rep Power
    32
    Change the RDP port on any servers you want locked down... that way when you remote desktop into them, you can tell it to connect on the other port....

  9. #7
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    AndyRite had it spot on, the HP switches I am using allow you to setup ACLs on the VLANs themselves in order to control the flow of traffic.

    I simply added an ACL to deny 3389/TCP to anydestination apart from the terminal server. Tested both VLAn 2 and 3 and it works.

    One happy bunny here
    Last edited by ICTNUT; 31st July 2008 at 10:21 PM. Reason: typo

  10. #8
    Andi's Avatar
    Join Date
    Feb 2007
    Location
    Newport, South Wales
    Posts
    276
    Thank Post
    52
    Thanked 4 Times in 4 Posts
    Rep Power
    15
    I would like to do the opposite, kind of.

    I want to separate the boarding houses onto their own VLAN and only allow RDp traffic from that network to our terminal server so that the boys can logon and get access to their documents that way.

    If I'm feeling generous then maybe I'll allow them port 80 so that they can use internet directly from their laptops, but I have a feeling that this will get abused with http downloads flooding the network.

    Is there a way do do this?

  11. #9

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,991
    Thank Post
    851
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by Andi View Post
    I would like to do the opposite, kind of.

    I want to separate the boarding houses onto their own VLAN and only allow RDp traffic from that network to our terminal server so that the boys can logon and get access to their documents that way.

    If I'm feeling generous then maybe I'll allow them port 80 so that they can use internet directly from their laptops, but I have a feeling that this will get abused with http downloads flooding the network.

    Is there a way do do this?
    Yes if your router supports it like the hp one in this thread you can use an ACL (Access Control List) to specify allow and deny rules that apply to traffic two and from a router interface. In your example you would allow access to DNS to your internal DNS server (to resolve the hostnames), DHCP, http to your router/gateway and RDP to the specific servers that you want them to have access to. You then add a deny any rule to the end which will deny any traffic that does not meet this criteria from traversing between your subnets.

SHARE:
+ Post New Thread

Similar Threads

  1. Stopping Pupils Access Staff PC's
    By Grommit in forum Windows
    Replies: 16
    Last Post: 28th September 2010, 12:49 PM
  2. Help with VLANs
    By robbie-w in forum Wireless Networks
    Replies: 20
    Last Post: 17th April 2008, 02:15 PM
  3. mstsc to home machines that are behind a router
    By mac_shinobi in forum Windows
    Replies: 7
    Last Post: 28th November 2007, 06:03 AM
  4. Vlans
    By strawberry in forum Wireless Networks
    Replies: 2
    Last Post: 4th October 2007, 02:09 PM
  5. MSTSC
    By Mintsoft in forum Windows
    Replies: 8
    Last Post: 27th March 2006, 11:27 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •