RE: Secure / Encrypt Terminal Services

In the securityfocus article, it states:

Terminal Services is a built-in service in Windows 2000 that provides admins with a remote desktop for managing a server. Terminal Services is the most obvious way to remotely manage a server because it is built-in, easy to get running, uses built-in Windows accounts for authentication, and allows for strong encryption. But there are some limitations: there is no mechanism to limit access by IP address, it is not obvious how to change the default listening port, and it has no logging facility. Based on the list of requirements at the beginning of this article, Terminal Services alone does not score well on security.

There are several easy-to-follow steps to use the included tools to achieve similar results with less overhead (latency and packet overhead-- i.e. no second wrapper):

Access can be limited by IP filter or IPSec policy native to the OS, the listening port can be changed in the registry:

http://support.microsoft.com/default.aspx?scid=kb;en-us;187623

Logging occurs in the security log. You can change the local audit policy to include what you want logged.

Some packets (licensing info and print job acknowledgments aren't encrypted (who knows why), so this may be a concern:

http://support.microsoft.com/default.aspx?scid=kb;en-us;275727

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The RDPClip and Drmapsrv utilities from the resource kit will allow you to map local client drives into the session and copy files over the encrypted session:

http://support.microsoft.com/default.aspx?scid=kb;en-us;309825

It doesn't work with the Advanced client (the XP version, which you can run on 2K), however:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;278139

And, of course, you can install the high encryption pack and specify that all RDP sessions must be 128-bit encrypted in the Terminal Services Configuration snap-in.

So, really, the main limitations are the type of encryption or its strength (you feel more comfortable with 3DES, for example), and potentially the few packets which are sent in the clear (you don't want someone knowing your printer names... Actually, I recommend disabling all port, printer, and drive mapping by policy-- clipoard mapping is generally the only mapping necessary for remote management, unless you need to transfer files and don't have some other method.) Also, does anyone know if you can replay encrypted RDP?

The easiest thing to do for a non-sensitive server (i.e. end-user terminal server box) is to use a network VPN first. I've used a hardware VPN with IPSec 3DES and client software in the past. This way you don't have to set up IPSec on the box.

For the original question, IPSec sounds like a good solution, although if the WAN is somewhat controlled, then the default 128-bit encryption may be sufficient.

• Zack

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-----Original Message-----
From: jason d. montgomery [mailto:jason@atgi.com] Sent: Monday, November 25, 2002 8:05 PM
To: focus-ms@securityfocus.com
Subject: RE: Secure / Encrypt Terminal Services

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One solution we implemented involved setting up IPSec between a Cisco PIX at the enterprise to SafeNet Soft-Pk software (http://www.safenet-inc.com/) on the client side - then run terminal services through the tunnel.

If you want to set something up a bit simpler than setting up IPSec, I just read an article on this very topic:

Remote Management of Win2K Servers: Three Secure Solutions http://online.securityfocus.com/infocus/1629

later,
jason

> -----BEGIN PGP SIGNED MESSAGE-----

> not flying around the network in clear text? Would IP-Sec be the
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

iD8DBQE94vLQv6RvkvBVJ4sRAkHBAKDQ9Yxr2JG+SXdpnoN2fWZ8XN6RpwCgr/xT FMWwbZoWcmnbqUN/HoBnIkE=
=aCn9
-----END PGP SIGNATURE----- Received on Tue Nov 26 17:00:15 2002