Hosting Provided By

RE: Secure / Encrypt Terminal Services

From: David Vincent <david.vincent(at)mightyoaks.com>
Date: Tue Nov 26 2002 - 14:45:10 EST

if you change the ts port - the pocket pc clients definately will not be able to connect, they don't seem to understand the server:port syntax. (not that you asked about pocket pcs - but i brought it up so i wanted to include these details)

so make sure you check out this kb article... http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

...which tells you how to alter the remote desktop client connection port. remote desktop client is the one which came with windows xp and is much better/more stable than the one included with windows 2000.

grab the remote desktop client here...
http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

yeah, it is REALLY annoying that the high encryption pack for pocket pcs doesn't alter the ts encryption level available to those clients.

-d

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com] Sent: Tuesday, November 26, 2002 7:14 AM To: ohnonono@hushmail.com; focus-ms@securityfocus.com Subject: Re: Secure / Encrypt Terminal Services

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you need help?

At 06:21 AM 11/21/2002, ohnonono@hushmail.com wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>Does the community have an opinion on which is the best way to do
>this? Can it be done via IP-Sec? Basically we have a machine (tripwire
>manager) that will have access to all our networks. Due to politics
>(gotta love security made insecure by politics) it must be remotely
>managed. The CIO (god bless CIO's) has decided that we will use terminal
>services. Is there a way to encrypt the traffic so it is not flying
>around the network in clear text? Would IP-Sec be the recomended solution?

The TS sessions are encrypted by default- data is not sent in the "clear." You may set the encryption level for the RDP session in the Terminal Services Configuration mmc if you want to change the default "medium" (56bit) encryption to "high" (128bit). Note though, that setting the encryption level to "high" will break things like the PocketPC Terminal Services client, which can only use 56bit encryption. In environments like that, I'll VPN in, and then use the "medium" session. Funny that the PocketPC will support a 128bit VPN client, but only 56bit for a TS client.

If this box will be on the net itself, ensure that you change the TS listening port (see Q187623
http://support.microsoft.com/default.aspx?scid=KB;en-us;187623 ), rename the administrator account and give all the accounts strong passwords. A logon banner helps too. I'd also use the IPSec mmc to lock down all ports except what is necessary for your environment.

hth

"Experience is something you don't get until just after you need it."

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

Do you need more help?

iQA/AwUBPeOPsohsmyD15h5gEQLstgCfWcZqgSj1ZmfE/WcBggW/vyvxq8oAoL9r F7Pm4TOmXU39pr+01KXh2Sh7
=oWEw
-----END PGP SIGNATURE----- Received on Tue Nov 26 18:32:49 2002

This message: [ Message body ]
Next message: David Sommers: "RE: Exchange in the DMZ"
Maybe in reply to: ohnonono(at)hushmail.com: "Secure / Encrypt Terminal Services"
In reply to Zack Berkovitz: "RE: Secure / Encrypt Terminal Services"
Reply: Brian W. Spolarich: "RE: Secure / Encrypt Terminal Services"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT