Re: Secure / Encrypt Terminal Services

From: Deus, Attonbitus (Thor@HammerofGod.com)
Date: 11/26/02

  • Next message: Brian W. Spolarich: "RE: Question: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution (Q329414)" 
    Date: Tue, 26 Nov 2002 07:13:54 -0800
To: ohnonono@hushmail.com, focus-ms@securityfocus.com
From: "Deus, Attonbitus" <Thor@HammerofGod.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 06:21 AM 11/21/2002, ohnonono@hushmail.com wrote:

    >-----BEGIN PGP SIGNED MESSAGE-----
    >
    >Does the community have an opinion on which is the best way to do
    >this? Can it be done via IP-Sec? Basically we have a machine (tripwire
    >manager) that will have access to all our networks. Due to politics
    >(gotta love security made insecure by politics) it must be remotely
    >managed. The CIO (god bless CIO's) has decided that we will use terminal
    >services. Is there a way to encrypt the traffic so it is not flying
    >around the network in clear text? Would IP-Sec be the recomended solution?
    >
    >Suggestions or links (or gentle shoves) to the information would be great.

    The TS sessions are encrypted by default- data is not sent in the
    "clear." You may set the encryption level for the RDP session in the
    Terminal Services Configuration mmc if you want to change the default
    "medium" (56bit) encryption to "high" (128bit). Note though, that setting
    the encryption level to "high" will break things like the PocketPC Terminal
    Services client, which can only use 56bit encryption. In environments like
    that, I'll VPN in, and then use the "medium" session. Funny that the
    PocketPC will support a 128bit VPN client, but only 56bit for a TS client.

    If this box will be on the net itself, ensure that you change the TS
    listening port (see Q187623
    http://support.microsoft.com/default.aspx?scid=KB;en-us;187623 ), rename
    the administrator account and give all the accounts strong passwords. A
    logon banner helps too. I'd also use the IPSec mmc to lock down all ports
    except what is necessary for your environment.

    hth

    AD

    "Experience is something you don't get until just after you need it."

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQA/AwUBPeOPsohsmyD15h5gEQLstgCfWcZqgSj1ZmfE/WcBggW/vyvxq8oAoL9r
    F7Pm4TOmXU39pr+01KXh2Sh7
    =oWEw
    -----END PGP SIGNATURE-----

    Relevant Pages

    • Re: SSL on OWA questions
      ... traffic pass in the session are encrypted. ... client certification is another story. ... just like your web server cert. ... If encryption is already done on ...
      (microsoft.public.inetserver.iis.security)
    • RE: Cannot decrypt files encrypted using Crypto API on a different
      ... previous message which uses the recipien't public key.) ... KEK (key encryption key) to protect the session key. ... embedded into your client app and server code). ... but what is the point to encrypt the data if ANYBODY can decrypt it (since ...
      (microsoft.public.platformsdk.security)
    • Re: username and Password sent as clear text strings
      ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
      (Pen-Test)
    • Re: username and Password sent as clear text strings
      ... encryption of the traffic. ... SSL is used. ... client, it would seem like too much hassle for a low possibility hack. ... This is how all web applications on the planet work today by design. ...
      (Pen-Test)
    • Re: XP wireless questions ...setting encryption
      ... I never use the Linksys software for drivers. ... 802.1x authentication is only used with WPA encryption. ... wireless network. ... The manufacturers client program ...
      (alt.internet.wireless)