Re: How is dangerous connect to server over internet with remote d

Hi,

What would be added value for security if you set up VPN first? Having
encrypted data inside encrypted data? There are also some cavities here
since you can't do VPN from all the networks.

If you have smart cards or one-time passwords you can use them directly
against Terminal Server.

TSGrinder will try to brute force the password. It is very inefficient and
slow. Such attacks can be avoided by simply using strong passwords or by
using before mentioned authentication mechanisms.

--
Mike
Microsoft MVP - Windows Security

"bagins" <dejan /at\ levaja /.\ com> wrote in message
news:OkUZz2NrGHA.3680@xxxxxxxxxxxxxxxxxxxxxxx

If you want to add more security, create VPN connection first, then fire
up RDC over tunnel. Use smart cards for logon, if you can.
There is a dictionary based tool for TS, it is called tsgrinder.
Any brute force tool, anyone?

--

************************
Best regards
Bagins
************************


"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:uZPeoVNrGHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I did a search and I found one DoS vulnerability from the past:

Microsoft Security Advisory (904797)
Vulnerability in Remote Desktop Protocol (RDP) Could Lead to Denial of
Service
http://www.microsoft.com/technet/security/advisory/904797.mspx

--
Mike
Microsoft MVP - Windows Security

"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:ehewxSNrGHA.2464@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

I can't recall any critical vulnerabilities in the past in Terminal
Services. I consider it a very good solution for remote access and
administration even without IP filtering. As mentioned the only concern
is how strong and protected your passwords are.

--
Mike
Microsoft MVP - Windows Security

"Massimo" <Massimo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AC61C683-818C-4FEF-A912-73767BB69894@xxxxxxxxxxxxxxxx
Thank'you very much for you answer. I want know if there are in the
past..
bug or vulenability in the terminal service (remote desktop). If i use
encryption and if i connect to server with the same ip ( i configure
firewall
to accept only my remote fixed ip for 3389 port) can i consider this
solution
a good solution for manage the server?

"Miha Pihler [MVP]" wrote:

Hi,

There are few things you can do to make these connections (more)
secure:
- On the server set the encryption to high
- On Windows Server 2003 with SP1 installed on it you can use
certificates
to prevent MITM (Man In The Middle) attacks.

Now the only thing that I usually worry about when considering RDP are
key
loggers that might be installed on a computer from which you are
trying to
connect to your server (e.g. if you are trying to connect to your
server
from cyber café). Still this is not only the problem with RDP
connection but
with any remote connection using static username and password.

So if you decide for this option pay attention to username and
password (use
strong username and password and change passwords frequently). Don't
use
domain administrator account for connection - use ordinary user
account.
Whenever possible this user account should not even be local
administrator
on the server. Once you are connected to the server you can raise your
permissions using another RDP to the server or options such as "run
as" etc.

Another thing to consider is to limit IP address from which you can
connect
to your server over RDP (e.g. limit it to your home IP address only).

--
Mike
Microsoft MVP - Windows Security

"Massimo" <Massimo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0E85C1B9-1460-4EF8-8EFC-7FF4FD983C45@xxxxxxxxxxxxxxxx
I have installed windows server 2003 enterprise edition. I have to
manage
my
server from remote site. A solution with remote desktop only is very
dangerous? Terminal service of windows server 2003 with encryption
is not
secure?

Thank's











.

Relevant Pages

  • Re: How to encrypt/decrypt a file
    ... As an additional reading regarding I would recomend Goldwasser-Bellare Lecture Notes on Cryptography and Goldreich's Foundations of Cryptography. ... Any attempts of using precalculated IV that is not sent together with cipher is only decreasing security of CBC mode of operation. ... and even harmful since it is just unnecessary goo that distructs attention from the real task - secure encryption. ... even so your customer's requirement looks quite strange - the server is processing the data and the server is watching that this exact data is not stored on the server... ...
    (microsoft.public.dotnet.security)
  • Re: How to encrypt/decrypt a file
    ... Thanks to Valery :-) for bringing to my attention that some security issues appear ... the procedure I use for symmetric encyrption in SimCryptNET is the following: ... get a cryptographically random salt (different for each encryption invocation) ... the server is watching that this exact data is not stored on the server... ...
    (microsoft.public.dotnet.security)
  • RE: passwords in asp pages
    ... and using integrated security for connecting to the database- this will ... remove cleartext passwords from the files. ... grab the raw asp source from the server. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • Re: Electronic Storage of Class 1/ 2 Medical forms... "Best Practice"?
    ... This has proven to be more of a security ... it will be as secure as most of the stuff at the NSA (National ... the user is taken to the server directory where the form is stored. ... Are the passwords sufficiently ...
    (rec.scouting.usa)
  • Re: How to encrypt/decrypt a file
    ... As an additional reading regarding I would recomend Goldwasser-Bellare Lecture Notes on Cryptography and Goldreich's Foundations of Cryptography. ... compromise security). ... and even harmful since it is just unnecessary goo that distructs attention from the real task - secure encryption. ... even so your customer's requirement looks quite strange - the server is processing the data and the server is watching that this exact data is not stored on the server... ...
    (microsoft.public.dotnet.security)