Securing a headless server

[Arrow_Runner]

I am setting up a server to be used in a classroom that has problems with people hacking into machines and changing settings.

My solution to this is to install a headless server that can only be configured via terminal services, but I want to deny port 3389 on the LAN NIC interface.

I am going to unmount the computer's front USB ports and connect a wireless adapter to them and mount it inside the case, that way no one will know that there is a wireless connection just by looking.

The wireless interface will be configured with a static IP, with a WEP password.

I plan to use RRAS to deny port 3389 and VPN on the LAN interface and only allow VPN Protocols and ports on the wireless adapter.

Once I have VPNed into the wireless adapter, I can then use terminal services to connect to the LAN NIC and configure the server.

I have set up a test system in this configuration and it seems to work like I want it.

Is there a better approach/tools to set this up?

And can someone tell me why port 3389 is available after I've VPN'd into the computer? I have it blocked and it doesn't work unless I'm VPN'd into the server.

[RogueSpear]

This may be totally impossible for you, but would it be possible to simply locate the computer in a locked closet or something?

[Arrow_Runner]

Yeah, the computer has to be out in the open

Thanks for the suggestion though.

Any other thoughts?