Networks

RE: Discuss remote administration for Windows Server

shipley.c — Mon, 06 Nov 2006 14:53:00 GMT

I agree with that. Its better, in my opinion, than exposing something like VNC. You should really SSH port forward or VPN tunnel for VNC connections.

RE: Discuss remote administration for Windows Server

ZacMutrux — Sun, 05 Nov 2006 19:52:00 GMT

Ah, yes, that makes sense. Most of my clients only have one server, so I rarely have the need to remotely control more than one box per site.

As for exposing RDP to the public Internet, I have over a dozen organizations that are set up this way and I've never had any trouble with intrusions. My impression is that the biggest risk is from brute force attacks on the password. So as long as you have a nice strong password on the administrator account, you haven't much to fear from the bad guys.

RE: Discuss remote administration for Windows Server

shipley.c — Fri, 03 Nov 2006 13:44:00 GMT

If you implement SSH, you can easily manage more than 1 box without having to fudge around with the ports that Remote Desktop is running on. For example:

Client 2 Server Port Forwards:
127.0.0.1:9051 --> 10.9.0.51:3389
127.0.0.1:9050 --> 10.9.0.50:3389
127.0.0.1:9011 --> 10.9.0.11:3389

Granted, you can just Remote Desktop into one box, then Remote Desktop to another once you're inside the network, but have you ever used double/tripe remote desktop in full screen mode? I find it confusing.

So you only open 1 port on your firewall to get access to virtually unlimited IPs and ports on your private IP subnet. And SSH is little overhead compared to PPTP and LPTP traffic.

Not to mention, most SSH servers come with SFTP - so now you can upload/download files securely without exposing a typical, unsecured FTP server.

For my home systems, I use OpenSSH (a bit of a bear to install and configure if you aren't techy - and its open source) and for professional installations I use BitVise WinSSHD.

The real gems for remote (and local) administration of a Windows Server / Network, however, are in my mind are LogMeIn and Dameware Utilities. At a typical client's, I'll install my own small workstation with LogMeIn Free. On that box will be Dameware Utilities. I love the pricing structure for Dameware, you only pay per administrator, not per computer/server you are administering.

RE: Discuss remote administration for Windows Server

Tamaralka — Fri, 03 Nov 2006 03:54:00 GMT

My experience is that putting a Windows 2000 or 2003 terminal server on the Internet without a firewall is an invitation for disaster. One tool that was not mentioned is a VPN (Virtual Private network). Smoothwall http://sourceforge.net/projects/smoothwall is a very easy to configure open source (free) program that will run on an old, inexpensive computer. It may require some technical expertise to set up, but the extra security is well worth the effort. Otherwise your data could be my data whenever I want it.

Rick Aldred, MCSE+Security

RE: Discuss remote administration for Windows Server

ZacMutrux — Mon, 30 Oct 2006 21:54:00 GMT

Why would you want to add the overhead of SSH when Remote Desktop includes its own encryption?

Zac

RE: Discuss remote administration for Windows Server

uwlmadmin — Mon, 30 Oct 2006 16:32:00 GMT

Old thread, new article... don't forget that you can always push Remote Desktop through an SSH tunnel as well. Configure a dumbed down Linux box with public key authentication only and port forward TCP 3389 (UDP not necessary) from your DMZ to your internal network and you have a reasonably secure and encrypted route to your Windows server.

RE: Discuss remote administration for Windows Server

donc — Sun, 29 May 2005 03:09:00 GMT

Hi Dougg,

I'm not sure who you are replying to, but if its the observation by Eoconlon (and Zac's reply) I think you might be missing the context in which this suggestion was made - it IS good advice for a number of reasons:

1/ As noted by Zac this is an effective method of making script 'Administrator' attacks less effective

2/ Not every hack attempt is done by a black-hat wiz-kid. Most unauthorised network accesses occur behind the firewall, and are done by staff or others who might be simply experimenting to see if they can 'get in' as Administrator. Rarely do these people have the skills to crack a password "in less than two seconds", and renaming or removing the administrator-named account certainly reduces the likelihood of success.

3/ There is no single aspect to total Systems security - everything you do to make it harder to hack your network adds to the whole and reduces the likelihood of a hacker bothering to spend energy breaking tiered security.

I agree that simply renaming/removing the Administrator account is not a solution in and of itself, but it is one component of a tiered security solution; one more step a hacker has to break to enter your system; one more chance you have of identifying the hacker through logs and other trace-back mechanisms.

Using a passphrase is excellent advice - until someone sees you type it in (or you write it down on a piece of paper somewhere). Like everything to do with computer security, passphrases are just one tool in the arsenal designed to make your security harder to break.

Don

RE: Discuss remote administration for Windows Server

Douggg — Sat, 28 May 2005 01:42:00 GMT

No No No!

This information is NOT correct. You can not hide the admin account from even the most basic hacker.

PLEASE STOP POSTING PROPOGATING IN ACCURATE INFORMATION especially when it comes to security.

You should also realize EVERY Microsoft password can be found in less than 2 seconds thanks to Microsoft’s Jet Database engine unless more than 14 characters are used.

We are no longer using passwords, we are using passphrases.

RE: Discuss remote administration for Windows Server

joeforan — Fri, 27 May 2005 03:03:00 GMT

RDP to RDP through a pinhole in the DMZ... man that's just wrong on some primeval level. ;)

I gotta give it a try!

RE: Discuss remote administration for Windows Server

obscurant — Tue, 24 May 2005 21:46:00 GMT

When I turned the 2 servers back on a couple of days later, the Windows 2000 server came back up with no problems, but the Linux box did not. The server was corrupt and I had to rebuild as Don has stated. I am far from a "nix admin," but its fairly obvious that the issue isn't hardware, but software.

You're not given much of a choice in filesystem settings under windows, but under linux you are. A novice might not know that having just one large partition as ext2 is a bad idea. For filesystems you have choices, you can choose one that does not do journaling and run it without sync (speedy and unsafe), or use sync (slow and safe), or use a journaling one (not so speedy and safe).

If you had used a journaling filesystem, you would have just lost whatever metadata didn't get through the transaction.

With just ext2 you are going through the equivalent of scandisk to check the integrity of your filesystem - chances are it will be fine, but there's always the odd occurrence.

RE: Discuss remote administration for Windows Server

donc — Tue, 24 May 2005 20:39:00 GMT

Agree with Joe above (RDP over RSA Secure ID here to wrap RDP in an SSL session and enforce 2-tier authentication).

If SSL is beyond your means you can minimize the risks outlined by Joe by using a few tricks...

Restrict the IP's allowed through your firewall on port 3399 (if you are able to allocate and enforce IP's on your remote connecting workstations)

Setup a 'locked' Win2K3 box in the DMZ that only allows traffic on 3399 and use it as an RDP gateway (this server becomes your RDP authentication server through which you access other servers by running RDP within RDP (a terminal session within a terminal session - RDP is much better at this than VNC or ICA).

Neither of these methods offer the type of security you would get from SSL, however they do make it tougher for someone to get through your firewall to your server farm (where there are probably a bunch of ports open for different purposes).

RE: Discuss remote administration for Windows Server

joeforan — Tue, 24 May 2005 15:39:00 GMT

RDP itself isn't very secure... moreso than telnet, less than ssh (although I may regret saying that since SSH does have holes in it's implementation). I personally like ICA over SSL - it's keyboard/video/mouse information only, compressed into the ultra-thin ICA protocol, and wrapped in a cozy SSL blanket for security. Of course, encrypting the file system on the remote and local hosts and securing the connection with an IPSec VPN as well would make things even more secure, but that might be going overboard. :)

On the serious side, RDP's main flaw is that there is *no* authentication in the protocol prior to reaching the Windows Domain (or server), which means that your first authentication is right into the heart of your network. In most cases this is a serious risk, as many times RDP is enabled by opening a gaping hole in the firewall at port 3399. My comment above on the IPSec VPN is actually semi-serious... preferably an RDP session should only be allowable once an IPSec (or SSL) VPN that auths to a RADIUS or other external authentication implementation has been established.

RE: Discuss remote administration for Windows Server

cb@cb — Tue, 24 May 2005 04:03:00 GMT

On the subject of security, does anyone know how secure/well encrypted the Remote Desktop Protocol is? I'm not guarding military secrets here, but I also know you shouldn't use telnet on the internet if your sending anything important. Judging by this discussion, it is not anything to worry about, but I was wondering what thoughts or information people had.

RE: Discuss remote administration for Windows Server

glamontagne — Wed, 18 May 2005 14:42:00 GMT

Obs, a couple of years ago while I was in college, we had to demonstrate the ability to install different Server Operating systems. We had identical hardware in our lab for each machine the OS was installed on. The power went out when someone knocked down a utility pole and class was cancelled. When I turned the 2 servers back on a couple of days later, the Windows 2000 server came back up with no problems, but the Linux box did not. The server was corrupt and I had to rebuild as Don has stated. I am far from a "nix admin," but its fairly obvious that the issue isn't hardware, but software.

RE: Discuss remote administration for Windows Server

joeforan — Tue, 17 May 2005 14:31:00 GMT

This is a very interesting topic for a security or *nix thread, but to wheel things around to the "remote administration for Windows Server" side again, I was wondering if anyone here has any experience with using SSL to remotely connect to admin tools?

One idea that had hit me back when I worked on Citrix servers frequently was to put up a secure NFuse server that would connect back to a MetaFrame box running common Windows admin tools as published apps. I never implemented it though, due to cost issues. I'd love to hear if anyone has done anything similar, and how it worked (I'm particularly intested because of the increasing use of SSL VPNs).