RE: Secure / Encrypt Terminal Services
From: Zack Berkovitz (zberkovitz@pga-inc.com)
Date: 11/26/02
- Previous message: TSimons@Delphi-Tech.com: "RE: Secure / Encrypt Terminal Services"
- Maybe in reply to: ohnonono@hushmail.com: "Secure / Encrypt Terminal Services"
- Next in thread: M. Burnett: "RE: Secure / Encrypt Terminal Services"
- Reply: M. Burnett: "RE: Secure / Encrypt Terminal Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Nov 2002 14:06:58 -0500 From: "Zack Berkovitz" <zberkovitz@pga-inc.com> To: <focus-ms@securityfocus.com>
In the securityfocus article, it states:
Terminal Services is a built-in service in Windows 2000 that provides
admins with a remote desktop for managing a server. Terminal Services is
the most obvious way to remotely manage a server because it is built-in,
easy to get running, uses built-in Windows accounts for authentication,
and allows for strong encryption. But there are some limitations: there
is no mechanism to limit access by IP address, it is not obvious how to
change the default listening port, and it has no logging facility. Based
on the list of requirements at the beginning of this article, Terminal
Services alone does not score well on security.
There are several easy-to-follow steps to use the included tools to
achieve similar results with less overhead (latency and packet
overhead-- i.e. no second wrapper):
Access can be limited by IP filter or IPSec policy native to the OS, the
listening port can be changed in the registry:
http://support.microsoft.com/default.aspx?scid=kb;en-us;187623
Logging occurs in the security log. You can change the local audit
policy to include what you want logged.
Some packets (licensing info and print job acknowledgments aren't
encrypted (who knows why), so this may be a concern:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275727
The RDPClip and Drmapsrv utilities from the resource kit will allow you
to map local client drives into the session and copy files over the
encrypted session:
http://support.microsoft.com/default.aspx?scid=kb;en-us;309825
It doesn't work with the Advanced client (the XP version, which you can
run on 2K), however:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;278139
And, of course, you can install the high encryption pack and specify
that all RDP sessions must be 128-bit encrypted in the Terminal Services
Configuration snap-in.
So, really, the main limitations are the type of encryption or its
strength (you feel more comfortable with 3DES, for example), and
potentially the few packets which are sent in the clear (you don't want
someone knowing your printer names... Actually, I recommend disabling
all port, printer, and drive mapping by policy-- clipoard mapping is
generally the only mapping necessary for remote management, unless you
need to transfer files and don't have some other method.) Also, does
anyone know if you can replay encrypted RDP?
The easiest thing to do for a non-sensitive server (i.e. end-user
terminal server box) is to use a network VPN first. I've used a
hardware VPN with IPSec 3DES and client software in the past. This way
you don't have to set up IPSec on the box.
For the original question, IPSec sounds like a good solution, although
if the WAN is somewhat controlled, then the default 128-bit encryption
may be sufficient.
- Zack
-----Original Message-----
From: jason d. montgomery [mailto:jason@atgi.com]
Sent: Monday, November 25, 2002 8:05 PM
To: focus-ms@securityfocus.com
Subject: RE: Secure / Encrypt Terminal Services
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One solution we implemented involved setting up IPSec between a Cisco
PIX at the enterprise to SafeNet Soft-Pk software
(http://www.safenet-inc.com/) on the client side - then run terminal
services through the tunnel.
If you want to set something up a bit simpler than setting up IPSec, I
just read an article on this very topic:
Remote Management of Win2K Servers: Three Secure Solutions
http://online.securityfocus.com/infocus/1629
later,
jason
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Does the community have an opinion on which is the best way to do
> this? Can it be done via IP-Sec? Basically we have a machine
> (tripwire manager) that will have access to all our networks. Due to
> politics (gotta love security made insecure by politics) it must be
> remotely managed. The CIO (god bless CIO's) has decided that we will
> use terminal services. Is there a way to encrypt the traffic so it is
> not flying around the network in clear text? Would IP-Sec be the
> recomended solution?
>
> Suggestions or links (or gentle shoves) to the information would be
> great.
>
> Thanks
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.2 (Java)
> Note: This signature can be verified at
> https://www.hushtools.com/verify
>
> wl0EARECAB0FAj3c67gWHG9obm9ub25vQGh1c2htYWlsLmNvbQAKCRAuXN+1lPsfqYk9
> AJ4ndm/CgplNAjJHfTV5oSgPLfoYYwCfYUHT6Cta9Or1jTiu4KGfYokrjYg=
> =2bx1
> -----END PGP SIGNATURE-----
>
>
>
>
> Get your free encrypted email at https://www.hushmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32)
Comment: For info see http://www.gnupg.org
iD8DBQE94vLQv6RvkvBVJ4sRAkHBAKDQ9Yxr2JG+SXdpnoN2fWZ8XN6RpwCgr/xT
FMWwbZoWcmnbqUN/HoBnIkE=
=aCn9
-----END PGP SIGNATURE-----
- Next message: David Vincent: "RE: Secure / Encrypt Terminal Services"
- Previous message: TSimons@Delphi-Tech.com: "RE: Secure / Encrypt Terminal Services"
- Maybe in reply to: ohnonono@hushmail.com: "Secure / Encrypt Terminal Services"
- Next in thread: M. Burnett: "RE: Secure / Encrypt Terminal Services"
- Reply: M. Burnett: "RE: Secure / Encrypt Terminal Services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
