cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Protect Terminal Servers

Dear Community,

Does Check Point have some kind of best practices or solution to protect Terminal Servers and remote desktop users against threats? 

Our users rely heavily on Terminal Servers and do most of their work from there.

What is the best way to protect them when they downloading and opening files, moving files from/to the file servers, etc.?   On the endpoint we have SBA, but when they connect to the Terminal Server, SBA is no use. 

1. Did anyone try to install Sandblast agent on Terminal servers and succeeded (I saw some previous posts pointing for POC, but, are there real live deployment out there)?

2. Is there another solution to protect users on terminal servers (Doesn't have to be Check Point but a complementary solution)? 

6 Replies
Vladimir
Pearl

Re: Protect Terminal Servers

To the best of my knowledge, and I am not an expert on Terminal Services, the only difference in protecting your users is in implementation of the Terminal Servers Identity Agent which will allow you to create a Role Based access rules. Otherwise, traffic generated by the terminal server will be inspected in the regular fashion.

Terminal Servers Identity Agent
Dedicated client agent installed on Microsoft® Windows-based application server that hosts Terminal Servers, Citrix XenApp, and Citrix XenDesktop services. This client agent acquires and reports identities to the Check Point Identity Awareness Security Gateway. In the past, this client agent was called Multi-User Host (MUH) Agent.
You can download the Terminal Servers Endpoint Identity Agent from the Identity Awareness Gateway:
https://<Gateway_IP_Address>/_IA_MU_Agent/download/muhAgent.exe

Re: Protect Terminal Servers

Thanks for the answer Vladimir, 

The identity awareness blade is not used directly for threat prevention. IDA helps to monitor users activity and prevent access to where they shouldn't have access. The problem is when users in remote desktops are using legit services like email, file sharing, and web, they will not be protected inside the remote desktop session (only on the network level but not on the remote session itself). 

So I can install an Anti-Virus on the remote desktop but for APT's, Phishing attacks, Ransomware, etc., there is no way to mitigate them. Or maybe I am wrong. 

There are many good articles on how to secure the RDP protocol, RDP sessions, and RDP servers but once the user is inside the RDP session, there is no control over what happens. 

0 Kudos
Vladimir
Pearl

Re: Protect Terminal Servers

Shahar,

The IA blade indeed simply addresses Access Control aspects of security in Terminal Services.

As to the rest of your concerns, I believe that the majority of the TP/TX functionality is applicable to the terminal services.

Consider that the traffic generated by TS clients will still be going through the same AV, AB, IPS, TE and TX on the gateway and this should provide you with pretty robust protection.

There is a general difficulty installing browser plugins on TS and it would be good to hear from Check Point if there are supported ways and means to achieve that.

0 Kudos

Re: Protect Terminal Servers

Perimeter protection cannot block everything, especially not files download via the web (without using hold mode) or files which are received via other protocols or media. The endpoint layer can provide this layer of protection and prevention but it is a technical difficulty both from the deployment aspects (browser plugin) and also performance wise. Even if it is possible, since remote desktop sessions and Sandblast agent are resources consuming, it can create a performance challenges on the session host. 

Re: Protect Terminal Servers

Even that CP supports all windows servers, we have faced a lot of issues with SBA on Windows running Terminal Services such as:

a) The hard drive fills up unexpectively

b) Pop up messages appears to all users

c) Unstable server

We have opened several cases with TAC for more than a year now without much success.

Thanks,

Charris Lappas

PS. There is a special Identity Agent for Terminal Services that works really works, but that is to distinguish which user is doing what, not for securing the user/server.

0 Kudos

Re: Protect Terminal Servers

Are there any complementary solutions or 3rd party integrations for terminal servers and Remote Desktop environments? I tried to look for a solution that can give users the same protection and threat prevention as endpoint security does on PC/laptops but couldn’t find any