This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Shahar_Grober
Advisor
‎2018-11-01 10:08 AM

Protect Terminal Servers

Dear Community,

Does Check Point have some kind of best practices or solution to protect Terminal Servers and remote desktop users against threats? 

Our users rely heavily on Terminal Servers and do most of their work from there.

What is the best way to protect them when they downloading and opening files, moving files from/to the file servers, etc.?   On the endpoint we have SBA, but when they connect to the Terminal Server, SBA is no use. 

1. Did anyone try to install Sandblast agent on Terminal servers and succeeded (I saw some previous posts pointing for POC, but, are there real live deployment out there)?

2. Is there another solution to protect users on terminal servers (Doesn't have to be Check Point but a complementary solution)? 

10 Replies
Vladimir
Champion
Champion
‎2018-11-01 01:15 PM

To the best of my knowledge, and I am not an expert on Terminal Services, the only difference in protecting your users is in implementation of the Terminal Servers Identity Agent which will allow you to create a Role Based access rules. Otherwise, traffic generated by the terminal server will be inspected in the regular fashion.

Terminal Servers Identity Agent
Dedicated client agent installed on Microsoft® Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. This client agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. In the past, this client agent was called Multi-User Host (MUH) Agent.
You can download the Terminal Servers Endpoint Identity Agent from the Identity Awareness Gateway:
https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe

Shahar_Grober
Advisor
‎2018-11-02 04:08 AM
In response to Vladimir

Thanks for the answer Vladimir, 

The identity awareness blade is not used directly for threat prevention. IDA helps to monitor users activity and prevent access to where they shouldn't have access. The problem is when users in remote desktops are using legit services like email, file sharing, and web, they will not be protected inside the remote desktop session (only on the network level but not on the remote session itself). 

So I can install an Anti-Virus on the remote desktop but for APT's, Phishing attacks, Ransomware, etc., there is no way to mitigate them. Or maybe I am wrong. 

There are many good articles on how to secure the RDP protocol, RDP sessions, and RDP servers but once the user is inside the RDP session, there is no control over what happens. 

0 Kudos
Vladimir
Champion
Champion
‎2018-11-02 08:43 AM
In response to Shahar_Grober

Shahar,

The IA blade indeed simply addresses Access Control aspects of security in Terminal Services.

As to the rest of your concerns, I believe that the majority of the TP/TX functionality is applicable to the terminal services.

Consider that the traffic generated by TS clients will still be going through the same AV, AB, IPS, TE and TX on the gateway and this should provide you with pretty robust protection.

There is a general difficulty installing browser plugins on TS and it would be good to hear from Check Point if there are supported ways and means to achieve that.

0 Kudos
Shahar_Grober
Advisor
‎2018-11-02 09:13 AM

Perimeter protection cannot block everything, especially not files download via the web (without using hold mode) or files which are received via other protocols or media. The endpoint layer can provide this layer of protection and prevention but it is a technical difficulty both from the deployment aspects (browser plugin) and also performance wise. Even if it is possible, since remote desktop sessions and Sandblast agent are resources consuming, it can create a performance challenges on the session host. 

Charris_Lappas
Collaborator
‎2018-11-18 10:34 PM

Even that CP supports all windows servers, we have faced a lot of issues with SBA on Windows running Terminal Services such as:

a) The hard drive fills up unexpectively

b) Pop up messages appears to all users

c) Unstable server

We have opened several cases with TAC for more than a year now without much success.

Thanks,

Charris Lappas

PS. There is a special Identity Agent for Terminal Services that works really works, but that is to distinguish which user is doing what, not for securing the user/server.

0 Kudos
Shahar_Grober
Advisor
‎2018-11-19 11:46 PM
In response to Charris_Lappas

Are there any complementary solutions or 3rd party integrations for terminal servers and Remote Desktop environments? I tried to look for a solution that can give users the same protection and threat prevention as endpoint security does on PC/laptops but couldn’t find any

MikeB
Advisor
‎2020-05-29 08:38 AM

After almost 2 years of this post, does anyone know if there is any improvement or compatibility in Roadmap for Sandblast Agent in Windows Terminal services?

0 Kudos
Jeroen_Demets
Collaborator
‎2020-11-18 06:03 AM
In response to MikeB

I'm also interested in the reply.

We need server protection as well. We installed it on regular servers and on domain controllers and had to finetune... we had issues with dfs replication and had to exclude that.

There is very few documentation about this and the product doesn't seem mature enough for servers. And Terminal servers and XenApp are even tougher to take on. I'm afraid at this moment we have no choice but use another vendor for servers.

(and maybe I got somebody's attention who will now tell us we should no longer worry?)

VDI setups such as XenDesktop are supported now though (from E84.20 and higher) but those are client OS'es

Nikolay_Petrush
Explorer
‎2020-12-14 09:53 AM
In response to Jeroen_Demets

+  interested too

0 Kudos
Kobie_Bendalak
Employee Alumnus
Employee Alumnus
‎2020-12-23 12:28 AM

@Nikolay_Petrush @Shahar_Grober @Jeroen_Demets @MikeB @Charris_Lappas It's on our short-term roadmap, in the meantime please follow this sk167575.

We can take it offline and discuss it in more detail, my email is kobieb@checkpoint.com.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events