Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ms > 02 > 110107.html (Request Expert securityfocus.com Support)

RE: Secure / Encrypt Terminal Services

From: M. Burnett <mb(at)xato.net>
Date: Tue Nov 26 2002 - 21:23:11 EST


I have received a tremendous amount of feedback from that SecurityFocus article, mostly from people telling me of different variations that would work much better. In the article, I had meant to demonstrate the concepts rather than specific solutions. There are many other very good solutions that I did not mention such as STunnel or IPSec. I think Zebedee is cool, but its not always the perfect solution.

Terminal Services does have decent encryption, but it does not provide any port access control nor does it provide sufficient logging. For access control, IPSec is a great solution. Of course, any packet filtering mechanism will also work great. One problem with IPSec is that the the port will sometimes still show as being open (although you may not be able to connect to it), depending on how IPSec is configured.

As for logging, while some things are buried in the EventLog, the IP address can be misleading (see
http://www.xato.net/Reference/xato-112001-01.txt) and sometimes the logs are not consistent. For example, it will only log a successful login, not someone just connecting to the server. I don't remember all the problems off hand, but as we researched the xato advisory we found many inconsistencies in the EventLog. I therefore concluded that it could not be fully trusted. A separate Terminal Service log file would be quite useful.

As for the encryption, I do feel somewhat safe using the built-in encryption but I am not totally convinced that it has been sufficiently proven secure. In high-security scenarios, such as government or millitary use, or say, protecting the recipe for Coke, I would certainly consider additional security. Flaws have been found in the encryption and we do not know what other flaws may exist.

My preferred solution is to use Terminal Services over IPSec, with additional packet filtering and logging done at a firewall or router to limit which IP addresses can even see the port. Here's a good article on TS over IPSec:
http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=20288

Mark Burnett
www.iissecurity.net

On Tue, 26 Nov 2002 14:06:58 -0500, Zack Berkovitz wrote:
>In the securityfocus article, it states:
Received on Thu Nov 28 13:06:23 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:25 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library