Re: Secure / Encrypt Terminal Services

From: Andras Vass (vass@virgosystems.hu)
Date: 11/26/02

  • Next message: TSimons@Delphi-Tech.com: "RE: Secure / Encrypt Terminal Services" 
    From: "Andras Vass" <vass@virgosystems.hu>
To: <TSimons@Delphi-Tech.com>, <ohnonono@hushmail.com>
Date: Tue, 26 Nov 2002 18:22:45 +0100

    SSH port forwarding should work.
    For a low-cost solution you may try to install Cygwin and the OpenSSH
    daemon.
    The exact procedure can be found at
    http://tech.erdelynet.com/cygwin-sshd.html
    Once you get it running, you can connect to the server from the clients with
    your favourite ssh client.
    (I would recommend putty,
    http://www.chiark.greenend.org.uk/~sgtatham/putty/ )
    Make a local port forwarding from (for the sake of simplicity) port 3389 to
    yourserverip:3389 or to localhost:3389.
    Then connect with your SSH client.
    This way, when you connect to localhost with Terminal Services Client you'll
    find yourself connected to
    the remote site, with SSH encrypting your packets and watching for their
    integrity. :-)

    ps.:
    A note on XP clients.
    XP Remote Desktop complains if you try to establish a connection to
    localhost.
    You can avoid this problem if you copy the mstsc.* files to a separate
    directory,
    enable win98 compatibility mode on them, and then run the client tool from
    the new location.
    This way, you can connect to localhost.
    (That is forwarded to your server, of course.. :^)

    ps2:
    Say you also have terminal services running on the client, on TCP port 3389
    So you want to use another port, eg. client port 3901 should be forwarded to
    remote port 3389.
    Apply these changes in the ssh client tool, and remove the old 3389->3389
    forwarding.
    Now you only have to tell TSC or RDC to use this modified port.
    In RDC(comes with XP, as far as I can tell):
    just type localhost:3901 instead of localhost.
    In TSC(win2000, others):
    open client connection manager, make a new connection to localhost.
    Choose file->export.
    Edit the resulting .cns file, change the line "Server Port=3389" to
    "Server Port=3901".
    Save it, then doubleclick...That's it...

    ----- Original Message -----
    From: <TSimons@Delphi-Tech.com>
    To: <ohnonono@hushmail.com>
    Cc: <focus-ms@securityfocus.com>
    Sent: Tuesday, November 26, 2002 4:42 AM
    Subject: RE: Secure / Encrypt Terminal Services

    > We're looking for the same thing, I'll be watching posts, initial finds
    are:
    >
    > Check out www.jsiinc.com
    > http://www.jsiinc.com/subk/tip5000/rh5017.htm
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q315055
    >
    > We're looking for solutions on how to add another layer of security
    without
    > inhibiting functionality, maybe something at the firewall level
    >
    > -----Original Message-----
    > From: ohnonono@hushmail.com [mailto:ohnonono@hushmail.com]
    > Sent: Thursday, November 21, 2002 9:22 AM
    > To: focus-ms@securityfocus.com
    > Subject: Secure / Encrypt Terminal Services
    >
    >
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    >
    > Does the community have an opinion on which is the best way to do this?
    Can
    > it be done via IP-Sec? Basically we have a machine (tripwire manager)
    that
    > will have access to all our networks. Due to politics (gotta love
    security
    > made insecure by politics) it must be remotely managed. The CIO (god
    bless
    > CIO's) has decided that we will use terminal services. Is there a way to
    > encrypt the traffic so it is not flying around the network in clear text?
    > Would IP-Sec be the recomended solution?
    >
    > Suggestions or links (or gentle shoves) to the information would be great.
    >
    > Thanks
    >
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: Hush 2.2 (Java)
    > Note: This signature can be verified at https://www.hushtools.com/verify
    >
    > wl0EARECAB0FAj3c67gWHG9obm9ub25vQGh1c2htYWlsLmNvbQAKCRAuXN+1lPsfqYk9
    > AJ4ndm/CgplNAjJHfTV5oSgPLfoYYwCfYUHT6Cta9Or1jTiu4KGfYokrjYg=
    > =2bx1
    > -----END PGP SIGNATURE-----
    >
    >
    >
    >
    > Get your free encrypted email at https://www.hushmail.com
    >
    >
    >

    Relevant Pages

    • Re: Partial SNAFUs - X11Forwarding etc.
      ... to the base server machine via SSH, or it it also supposed to protect ... back "up the line" to the client machine? ... the ssh server host is compromised or otherwise untrustworthy, ... refrain from running the program via ssh X11 forwarding - there's no ...
      (comp.security.ssh)
    • Re: RDC port change
      ... As for the SSH, I use SSh myself and for my clients where I can. ... There is a mac client, ... remote control...... ... By the way lol, the problem with the RDC port is fixed, it seems.... ...
      (microsoft.public.windowsxp.work_remotely)
    • Re: Port forwarding and ssh
      ... >> the only problem was from my NAT router which does ... >> machine by ssh and port forwarding and i try to ssh ...
      (Fedora)
    • Re: [opensuse] Howto Use/Relay Ports to Connect to Other Computers from Outside?
      ... I guess this situation is a port forwarding situation, ... In the past the only experience I have had with this is ssh port ... forwarding to forward X or reach other machines behind the router. ...
      (SuSE)
    • Summary: update: X11 forwarding for SSH
      ... The Server side configuration in sshd_config: ... Jut to update my problem with X11 forwarding in SSH. ... But when i try to do ssh from one solaris 8 client to other solaris 8 ssh ...
      (SunManagers)