topic Re: Protect Terminal Servers in Endpoint

Protect Terminal Servers

Shahar_Grober — Thu, 01 Nov 2018 17:08:30 GMT

Dear Community,

Does Check Point have some kind of best practices or solution to protect Terminal Servers and remote desktop users against threats?

Our users rely heavily on Terminal Servers and do most of their work from there.

What is the best way to protect them when they downloading and opening files, moving files from/to the file servers, etc.? On the endpoint we have SBA, but when they connect to the Terminal Server, SBA is no use.

1. Did anyone try to install Sandblast agent on Terminal servers and succeeded (I saw some previous posts pointing for POC, but, are there real live deployment out there)?

2. Is there another solution to protect users on terminal servers (Doesn't have to be Check Point but a complementary solution)?

Re: Protect Terminal Servers

Vladimir — Thu, 01 Nov 2018 20:15:08 GMT

To the best of my knowledge, and I am not an expert on Terminal Services, the only difference in protecting your users is in implementation of the Terminal Servers Identity Agent which will allow you to create a Role Based access rules. Otherwise, traffic generated by the terminal server will be inspected in the regular fashion.

Terminal Servers Identity Agent
Dedicated client agent installed on Microsoft® Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. This client agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. In the past, this client agent was called Multi-User Host (MUH) Agent.
You can download the Terminal Servers Endpoint Identity Agent from the Identity Awareness Gateway:
https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe

Re: Protect Terminal Servers

Shahar_Grober — Fri, 02 Nov 2018 11:08:20 GMT

Thanks for the answer Vladimir,

The identity awareness blade is not used directly for threat prevention. IDA helps to monitor users activity and prevent access to where they shouldn't have access. The problem is when users in remote desktops are using legit services like email, file sharing, and web, they will not be protected inside the remote desktop session (only on the network level but not on the remote session itself).

So I can install an Anti-Virus on the remote desktop but for APT's, Phishing attacks, Ransomware, etc., there is no way to mitigate them. Or maybe I am wrong.

There are many good articles on how to secure the RDP protocol, RDP sessions, and RDP servers but once the user is inside the RDP session, there is no control over what happens.

Re: Protect Terminal Servers

Vladimir — Fri, 02 Nov 2018 15:43:31 GMT

Shahar,

The IA blade indeed simply addresses Access Control aspects of security in Terminal Services.

As to the rest of your concerns, I believe that the majority of the TP/TX functionality is applicable to the terminal services.

Consider that the traffic generated by TS clients will still be going through the same AV, AB, IPS, TE and TX on the gateway and this should provide you with pretty robust protection.

There is a general difficulty installing browser plugins on TS and it would be good to hear from Check Point if there are supported ways and means to achieve that.

Re: Protect Terminal Servers

Shahar_Grober — Fri, 02 Nov 2018 16:13:15 GMT

Perimeter protection cannot block everything, especially not files download via the web (without using hold mode) or files which are received via other protocols or media. The endpoint layer can provide this layer of protection and prevention but it is a technical difficulty both from the deployment aspects (browser plugin) and also performance wise. Even if it is possible, since remote desktop sessions and Sandblast agent are resources consuming, it can create a performance challenges on the session host.

Re: Protect Terminal Servers

Charris_Lappas — Mon, 19 Nov 2018 06:34:51 GMT

Even that CP supports all windows servers, we have faced a lot of issues with SBA on Windows running Terminal Services such as:

a) The hard drive fills up unexpectively

b) Pop up messages appears to all users

c) Unstable server

We have opened several cases with TAC for more than a year now without much success.

Thanks,

Charris Lappas

PS. There is a special Identity Agent for Terminal Services that works really works, but that is to distinguish which user is doing what, not for securing the user/server.

Re: Protect Terminal Servers

Shahar_Grober — Tue, 20 Nov 2018 07:46:33 GMT

Are there any complementary solutions or 3rd party integrations for terminal servers and Remote Desktop environments? I tried to look for a solution that can give users the same protection and threat prevention as endpoint security does on PC/laptops but couldn’t find any

Re: Protect Terminal Servers

MikeB — Fri, 29 May 2020 15:38:22 GMT

After almost 2 years of this post, does anyone know if there is any improvement or compatibility in Roadmap for Sandblast Agent in Windows Terminal services?

Re: Protect Terminal Servers

Jeroen_Demets — Wed, 18 Nov 2020 14:06:59 GMT

I'm also interested in the reply.

We need server protection as well. We installed it on regular servers and on domain controllers and had to finetune... we had issues with dfs replication and had to exclude that.

There is very few documentation about this and the product doesn't seem mature enough for servers. And Terminal servers and XenApp are even tougher to take on. I'm afraid at this moment we have no choice but use another vendor for servers.

(and maybe I got somebody's attention who will now tell us we should no longer worry?)

VDI setups such as XenDesktop are supported now though (from E84.20 and higher) but those are client OS'es

Re: Protect Terminal Servers

Nikolay_Petrush — Mon, 14 Dec 2020 17:53:10 GMT

+ interested too

Re: Protect Terminal Servers

Kobie_Bendalak — Wed, 23 Dec 2020 08:28:27 GMT

@Nikolay_Petrush @Shahar_Grober @Jeroen_Demets @MikeB @Charris_Lappas It's on our short-term roadmap, in the meantime please follow this sk167575.

We can take it offline and discuss it in more detail, my email is kobieb@checkpoint.com.