RE: Secure / Encrypt Terminal Services

• Previous message: Zack Berkovitz: "RE: Secure / Encrypt Terminal Services"
• Maybe in reply to: ohnonono@hushmail.com: "Secure / Encrypt Terminal Services"
• Next in thread: Brian W. Spolarich: "RE: Secure / Encrypt Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: David Vincent <david.vincent@mightyoaks.com>
To: "'Deus, Attonbitus'" <Thor@HammerofGod.com>, ohnonono@hushmail.com, focus-ms@securityfocus.com
Date: Tue, 26 Nov 2002 11:45:10 -0800

if you change the ts port - the pocket pc clients definately will not be
able to connect, they don't seem to understand the server:port syntax. (not
that you asked about pocket pcs - but i brought it up so i wanted to include
these details)

so make sure you check out this kb article...
http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

...which tells you how to alter the remote desktop client connection port.
remote desktop client is the one which came with windows xp and is much
better/more stable than the one included with windows 2000.

grab the remote desktop client here...
http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

yeah, it is REALLY annoying that the high encryption pack for pocket pcs
doesn't alter the ts encryption level available to those clients.

-d

-----Original Message-----
From: Deus, Attonbitus [mailto:Thor@HammerofGod.com]
Sent: Tuesday, November 26, 2002 7:14 AM
To: ohnonono@hushmail.com; focus-ms@securityfocus.com
Subject: Re: Secure / Encrypt Terminal Services

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 06:21 AM 11/21/2002, ohnonono@hushmail.com wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>
>Does the community have an opinion on which is the best way to do
>this? Can it be done via IP-Sec? Basically we have a machine (tripwire
>manager) that will have access to all our networks. Due to politics
>(gotta love security made insecure by politics) it must be remotely
>managed. The CIO (god bless CIO's) has decided that we will use terminal
>services. Is there a way to encrypt the traffic so it is not flying
>around the network in clear text? Would IP-Sec be the recomended solution?
>
>Suggestions or links (or gentle shoves) to the information would be great.

The TS sessions are encrypted by default- data is not sent in the
"clear." You may set the encryption level for the RDP session in the
Terminal Services Configuration mmc if you want to change the default
"medium" (56bit) encryption to "high" (128bit). Note though, that setting
the encryption level to "high" will break things like the PocketPC Terminal
Services client, which can only use 56bit encryption. In environments like
that, I'll VPN in, and then use the "medium" session. Funny that the
PocketPC will support a 128bit VPN client, but only 56bit for a TS client.

If this box will be on the net itself, ensure that you change the TS
listening port (see Q187623
http://support.microsoft.com/default.aspx?scid=KB;en-us;187623 ), rename
the administrator account and give all the accounts strong passwords. A
logon banner helps too. I'd also use the IPSec mmc to lock down all ports
except what is necessary for your environment.

hth

AD

"Experience is something you don't get until just after you need it."

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQA/AwUBPeOPsohsmyD15h5gEQLstgCfWcZqgSj1ZmfE/WcBggW/vyvxq8oAoL9r
F7Pm4TOmXU39pr+01KXh2Sh7
=oWEw
-----END PGP SIGNATURE-----

• Next message: Harris, Ken: "RE: Question: Buffer Overrun in Microsoft Data Access Components Coul d Lead to Code Execution (Q329414)"
• Previous message: Zack Berkovitz: "RE: Secure / Encrypt Terminal Services"
• Maybe in reply to: ohnonono@hushmail.com: "Secure / Encrypt Terminal Services"
• Next in thread: Brian W. Spolarich: "RE: Secure / Encrypt Terminal Services"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]