RE: Secure / Encrypt Terminal Services

From: Eric Devine (devineeric@yahoo.com)
Date: 11/27/02

  • Next message: M. Burnett: "RE: Secure / Encrypt Terminal Services" 
    Date: Wed, 27 Nov 2002 07:00:14 -0800 (PST)
From: Eric Devine <devineeric@yahoo.com>
To: focus-ms@securityfocus.com

    How does this sort of thing affect the ActiveX
    Terminal services option in IE? as far as I know
    there is no way to point that to a different
    port? The nice thing about the IE option is any
    computer with IE can be used and the Client is
    self installing so I don't need to keep a floppy
    disk handy.
    Hmm.. I will bet I get jumped all over in the
    reply's because whenever something is easy it is
    generally not secure :)

    Previously written Message thread
    Follows---------
    --------------------------------------------------

    if you change the ts port - the pocket pc clients

    definitely will not be
    able to connect, they don't seem to understand
    the server:port syntax. (not
    that you asked about pocket pcs - but i brought
    it up so i wanted to include
    these details)

    so make sure you check out this kb article...
    http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

    ..which tells you how to alter the remote desktop

    client connection port.
    remote desktop client is the one which came with
    windows xp and is much
    better/more stable than the one included with
    windows 2000.

    grab the remote desktop client here...
    http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

    yeah, it is REALLY annoying that the high
    encryption pack for pocket pcs
    doesn't alter the ts encryption level available
    to those clients.

    -d

    -----Original Message-----
    From: Deus, Attonbitus
    [mailto:Thor@HammerofGod.com]
    Sent: Tuesday, November 26, 2002 7:14 AM
    To: ohnonono@hushmail.com;
    focus-ms@securityfocus.com
    Subject: Re: Secure / Encrypt Terminal Services

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    At 06:21 AM 11/21/2002, ohnonono@hushmail.com
    wrote:

    >-----BEGIN PGP SIGNED MESSAGE-----
    >
    >Does the community have an opinion on which is
    the best way to do
    >this? Can it be done via IP-Sec? Basically we
    have a machine (tripwire
    >manager) that will have access to all our
    networks. Due to politics
    >(gotta love security made insecure by politics)
    it must be remotely
    >managed. The CIO (god bless CIO's) has decided
    that we will use terminal
    >services. Is there a way to encrypt the traffic

    so it is not flying
    >around the network in clear text? Would IP-Sec
    be the recomended solution?
    >
    >Suggestions or links (or gentle shoves) to the
    information would be great.

    The TS sessions are encrypted by default- data is

    not sent in the
    "clear." You may set the encryption level for
    the RDP session in the
    Terminal Services Configuration mmc if you want
    to change the default
    "medium" (56bit) encryption to "high" (128bit).
    Note though, that setting
    the encryption level to "high" will break things
    like the PocketPC Terminal
    Services client, which can only use 56bit
    encryption. In environments like
    that, I'll VPN in, and then use the "medium"
    session. Funny that the
    PocketPC will support a 128bit VPN client, but
    only 56bit for a TS client.

    If this box will be on the net itself, ensure
    that you change the TS
    listening port (see Q187623
    http://support.microsoft.com/default.aspx?scid=KB;en-us;187623

    ), rename
    the administrator account and give all the
    accounts strong passwords. A
    logon banner helps too. I'd also use the IPSec
    mmc to lock down all ports
    except what is necessary for your environment.

    hth

    AD

    "Experience is something you don't get until just

    after you need it."

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQA/AwUBPeOPsohsmyD15h5gEQLstgCfWcZqgSj1ZmfE/WcBggW/vyvxq8oAoL9r
    F7Pm4TOmXU39pr+01KXh2Sh7
    =oWEw
    -----END PGP SIGNATURE-----

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
    http://mailplus.yahoo.com

    Relevant Pages

    • RE: Secure / Encrypt Terminal Services
      ... that you asked about pocket pcs - but i brought it up so i wanted to include ... ...which tells you how to alter the remote desktop client connection port. ... doesn't alter the ts encryption level available to those clients. ...
      (Focus-Microsoft)
    • RE: TERMINAL CLIENT POCKET PC 2003 MOBILE
      ... To enable Terminal Services client on the Pocket PC, ... How to use a Handheld PC or a Pocket PC as a Mobile Terminal ... Establish VPN connection and run Terminal Server client from the PDA. ...
      (microsoft.public.windows.server.sbs)
    • Re: Secure file transfer
      ... paste files or whatever else over the encrypted terminal services connection ... It's in the TS client install folder. ... SSL certificate for HTTPS encryption, that will allow downloads of shared ...
      (microsoft.public.windowsxp.security_admin)
    • RE: [fw-wiz] Using RDP Port 3389
      ... The default Event logging and user controls for Terminal Services are ... Services Advanced Client in order to have 128-bit encryption. ... So, if you must have remote access to your servers, my recommendation ...
      (Firewall-Wizards)
    • RE: Cannot decrypt files encrypted using Crypto API on a different
      ... previous message which uses the recipien't public key.) ... KEK (key encryption key) to protect the session key. ... embedded into your client app and server code). ... but what is the point to encrypt the data if ANYBODY can decrypt it (since ...
      (microsoft.public.platformsdk.security)