Securing a headless server

[Arrow_Runner]

I am setting up a server to be used in a classroom that has problems with people hacking into machines and changing settings.

My solution to this is to install a headless server that can only be configured via terminal services, but I want to deny port 3389 on the LAN NIC interface.

I am going to unmount the computer's front USB ports and connect a wireless adapter to them and mount it inside the case, that way no one will know that there is a wireless connection just by looking.

The wireless interface will be configured with a static IP, with a WEP password.

I plan to use RRAS to deny port 3389 and VPN on the LAN interface and only allow VPN Protocols and ports on the wireless adapter.

Once I have VPNed into the wireless adapter, I can then use terminal services to connect to the LAN NIC and configure the server.

I have set up a test system in this configuration and it seems to work like I want it.

Is there a better approach/tools to set this up?

And can someone tell me why port 3389 is available after I've VPN'd into the computer? I have it blocked and it doesn't work unless I'm VPN'd into the server.

[CptMurphy]

Using wireless on a server isn't the best way to secure it. Using WEP worsens it. Hardwiring the server not only gives you the assurance that people can't wardrive the network, but you get better performance. Wireless networks, with the exception of certain APs/routers, are easily hackable. However, if you still want to use wireless, use WPA-SPK encryption. WEP is inherently insecure. As for VPN, the port is disabled on the server but not on the terminals, so you'd still see it open. What you should do is create a group policy that closes that port as well, if you can.

[Arrow_Runner]

Yeah, I probably will use WPA instead of WEP, thanks.

Could you walk me through or give me the link to a good tutorial on how to set up the group policy to control access?

I've tried several times in the past to do that and it never works so I must be missing something.

Also, I know that wireless can be hacked, but the school already has a wireless infrastructure that 99% of laptops are configured to automatically pick up the schools network, and I'm hoping that the wireless adapter's range will be hampered by the fact that it's mounted inside a metal box.

So I'm partly just hoping that no one will notice that there is another wireless signal. If they do notice, I'm hoping that the WPA key and VPN-only access will be enough to stop them, but they have to find the server's WiFi IP address first, which I will set to a static 169.254.x.x address, so no easy DHCP numbers for them. I've never dealt with hacking much, so I don't know how easy/hard it is to get around those things.

[jftuga]

Windows XP SP2 supports WPA2 w/ AES. This is the most secure configuration of XP out of the box. I don't know if Win 2003 supports this or not. I have heard that you should make your key at least 20 characters long, too.

-John

[nmX.Memnoch]

Another option would be to change the default RDP port to something other than 3389. This would be yet another piece of the puzzle they'd have to get before being able to RDP into the server.

http://support.microsoft.com/?id=187623

The same information in the KB article also applies to Server 2003.

[jftuga]

Good idea about changing the RDP port number. I just wanted to mention that after you change the registry entry, you have to reboot your server in order for it to take effect.

After you choose a port number, I would google around for "port xxxx" and see if anything comes up. If it is a popular port, I would not use it. I would choose one that google does not return a lot of results for.

-John