Unlike Internet Information Services (IIS),Windows Terminal Services does not have a place in the admin/config functions to Filter the IP’s such that it can only allow certain IP’s to login to the Services. This is a problem, because it opens the door for any hackers from the world to use TCP port 3389 to try to login. Even if they fail, they may have locked out many accounts when the legitimate users triy to login in.

As a matter of fact, starting from Windows Server 2000, Windows has a central place to accept or block IP traffic. It is under Administrative Tools -> Local Security Policy -> IP Security Policy. By default, all traffic inbound/outboard of any protocol for any ports are accepted.

To limit IPs to Terminal Service (TCP port 3389), or any other services like SQL Server Services, SNMP, SMTP, etc, we will need to create a Policy and activate it. A Policy contains pairs of (IP List + Actions). One the policy is set and activated, only IP’s not permitted will be allowed. For example, if we only allow IP Block 160.203.229.0/24 to access this Terminal Service, we should create an entry with this IP block and the action "Permit". After that, we should add another entry to "Deny" Any IP addresses. With these two entries in this policy, when it is activated, it will only allow this IP block 160.203.229.0/24 to access the Terminal Service. We can add more IP blocks if needed.

For step by step instructions for Windows 2000 Server, please refer to:

http://www.securityfocus.com/infocus/1559

Set up IP Security Policy for Windows 2003 Server is very similar.