Microsoft Terminal Services Policy Violation

FNAL Policy Violation
FNAL Policy Violation
Platform: Windows
Product: Microsoft Terminal Services (TS) and Remote Desktop Protocol (RDP)
Exploitation: Remote
Patch By: No patch
Remediation: Disable TS/RDP or setup for Localhost access only and use an SSH tunnel


Users may connect to Windows desktops and Windows servers from the FNAL network or from either a VPN session through a Kerberos authenticated session only if the Windows desktop or server is in the Fermi Active Directory domain and only accepts logins from the Fermi Active Directory domain (e.g. the remote desktop cannot permit a locally defined account to log in). These sessions cannot be offered to offsite, but instead but be used in conjunction with the FNAL VPN service. All deviations and deficiencies require an exemption. See the FNAL Remote Access/Remote Desktop Policy Abbreviated Technical Details.

This is the acceptance and enforcement of an existing policy by the Fermi domain, originally drafted by the Windows Policy Committee (Windows Domain policies).

Please consult the Remote Desktop Windows Firewall guide for help in configuring your Windows firewall to confingure Windows Remote Desktop/Terminal Services for on-site only access or search Google  for help on configuring the Windows firewall as well as these links to a Windows Firewall Tutorial and Windows Firewall Basics.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on November 18, 2008.
(Address comments about page to the Computer Security Team.)