Re: Stop Remote Manipulation When Server Needs Access

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 08/16/05 

Date: Tue, 16 Aug 2005 08:11:45 -0400

"dw85745" <dw85745@gbronline.com> wrote in message
news:1123940421.391831.182020@g43g2000cwa.googlegroups.com...

> My concern is that remote manipulation of their software opens up the
> client machine for perusal.

My concern is that this software sounds very old and not time tested. I
have no idea if the programmer used commonly accepted security practices.

You asked about books for more information. I strongly recommend Writing
Secure Code, 2nd ed by Michael Howard. It describes these best practices
and gives checklists of what to consider in application security and risk
assessments.

> To my knowledge a firewall will not work since the firewall must allow
> the application both uplink and downlink rights.

I do not believe this is necessarily true. A firewall is the primary way
you control what IP addresses are allowed to access the remote control
service. There are lots of apps that require both inbound and outbound
connections but are protected by a firewall nonetheless. If you need to
allow any IP address on your internal network to access this service, then I
suppose a firewall might not add a lot of benefit.

Instead of or in addition to a firewall, good authentication [such as a
password that is well encrypted and protected from capture, and is shared
only with a small number of people you trust or is unique per each user] is
a very good idea. The above book goes into things like this.

> 1) If I handle their application as a Service (or write a wrapper
> "service" program around their app) will this limit the remote ability
> to get elsewhere on the client machine?

Continuing to develop for Windows 98 is generally a waste of time, unless
you feel the enhancements made now will still be good if / when the app is
ported to another version of Windows.

Windows 98 is terribly insecure in many different ways. It is barely being
patched. And it sounds like your Win98 systems don't have any firewall.
This application is probably the least of your worries, and hardening it
won't make Win98 secure.

> 2) If I go with a separate User Profile, can I be logged onto a client
> machine (with Win98 or XP) with two user profiles at the same time AND
> will running the app from a user profile stop the ability of the
> application to go outside its user profile?

Win98 has no such separation, every user can access everything. Win98 user
profiles are ONLY to save custom settings like desktop icons, not for
security.

Windows XP can be configured to prevent what users can access, as long as
the users are not in the Administrators or Power Users groups. However,
even regular XP users can do an awful lot of damage, and there are a lot of
privilege escalation attacks that can be attempted. Regular XP users can be
prevented from accessing other users' profiles, and they can be prevented
from making changes to most of the rest of the hard drive and to Windows,
but they still need read or write access to most of the hard drive, so
Windows profiles are not really like chroot file-system jails if that's what
you're asking. The main thing regular users cannot [easily] do is make
changes to other users environments or gain their permissions.

Your remote control program would also have to be coded so that it does not
run as system or grant system-level privileges.

WinXP contains remote administration tools and software such as Terminal
Services / Remote Desktop, Remote Registry, etc. that are time tested, and I
would very strongly recommend using those instead of trying to reinvent the
wheel and making a serious mistake.

Relevant Pages

  • Re: XP SP2 and ports required to view a remote event log
    ... So for Windows XP SP2 with an enabled firewall, to handle this, ... Group Policy Settings Reference for Windows XP Professional Service Pack 2 ... Windows Firewall: Allow remote administration exception ... TCP ports 135 and 445. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... ports on the client machines to allow remote management. ... there is no firewall on the NAS to begin with. ... NAS is not running windows and thus will not be able to process remote ...
    (microsoft.public.windows.server.sbs)
  • Re: Windows 2003 SP1 Firewall Control through Group Policy
    ... MS has extensive writeups on the firewall settings, ... Currently my remote users have the firewall enabled. ... JSI Tip 8378. ... Windows XP SP2 Firewall Update for Windows Small Business ...
    (microsoft.public.windows.server.active_directory)
  • Re: Still behind a firewall (home edition sp2)
    ... You might look at either UltraVNC (you need TCP Port 5900 open on the ... firewall) with its encryption plug-in and XP driver for the host PC... ... Al Jarvi (MS-MVP Windows Networking) ... I am trying to install a remote desktop server (home ...
    (microsoft.public.windowsxp.network_web)
  • Re: Guide to secure installtion of IIS 5
    ... don't forget a well-configured firewall. ... Do not put the computer onto the network or the Internet until after the ... Follow the instructions for hardening Windows and IIS at ... Install all service packs and security fixes from Microsoft and otherwise ...
    (microsoft.public.inetserver.iis.security)