Any security issues that i should be aware of with remote desktop.
I admin a small mortgage company, I have been installing remote desktop on our loan officers workstations so that they can work from home. I have forwarded the nescesary ports to static Ip addresses on the internal network.(we use dhcp, but i changed sales to static) I can connect from any remote location just fine. What are the main security issues that I should be concerned with.
I have a linksys router with no firewall,w2k server,xp,w2k pro.
Thanks,
I have a linksys router with no firewall,w2k server,xp,w2k pro.
Thanks,
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
setup the server to only accept 128bit encrypted sessions through the local security mmc. and also setup ipsec for the nic and ip address on the server. also best to invest in a personal firewall solution that supports port scan detection and a few other things. also block all netbios ports. and just for kicks, i've been looking into how to go about using an ssl proxy with rdp. cus once ssl works, there are free programs for linux to tunnel ssh through ssl. might take a while to get it up and running. but once it's there you got ssl, ssh and ipsec all at 128bit to protect you ;-) and a firewall.
well, good luck
well, good luck
NOrmally I'd say phooey, use long passwords with a couple of ALT characters (functions solely based on wordlists) and you'll be OK but the nature of your business rates a little higher level of diligence. Encryption levels don't mitigate a TSCRACK effort, strong passwords do, though strong encryption levels do prevent evesdropping should someone drop a sniffer on one of your systems.
Implementing VPN's to your firewall set up another level of authentication to get through.
Static IP's were mentioned, but even allowing only netblock of their provider knocks out a lot of avenues of attack if they can't get static IP's.
Sounds crude but dial-up with dial-back response is adequate for TS and insures that only calls made from the telephone numbers you authorize get through.
Implementing VPN's to your firewall set up another level of authentication to get through.
Static IP's were mentioned, but even allowing only netblock of their provider knocks out a lot of avenues of attack if they can't get static IP's.
Sounds crude but dial-up with dial-back response is adequate for TS and insures that only calls made from the telephone numbers you authorize get through.
You can take the following steps to enhance your perimeter security:
1. Apply ACL to Linksys router to filter unnecessary services (ports) to external.
2. Harden the Web server with IPSec.
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
3. Use Group Policy to harden the Terminal Server to have more restricted access control
http://support.microsoft.com/?kbid=278295
4. Set up VPN for remote access by using SSL on Windows
http://openvpn.sourceforge.net/
5. Install Anti-Virus program on Servers to scan the remote workstation when login to prevent virus/worm come from remote users machine.
Your main security issue is the remote user machines, the remote machine needs to harden because trojan horse or hacker break-in remote user machine can attack the office servers thru VPN to internal network (U-Turn Hacking).
1. Apply ACL to Linksys router to filter unnecessary services (ports) to external.
2. Harden the Web server with IPSec.
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
3. Use Group Policy to harden the Terminal Server to have more restricted access control
http://support.microsoft.com/?kbid=278295
4. Set up VPN for remote access by using SSL on Windows
http://openvpn.sourceforge.net/
5. Install Anti-Virus program on Servers to scan the remote workstation when login to prevent virus/worm come from remote users machine.
Your main security issue is the remote user machines, the remote machine needs to harden because trojan horse or hacker break-in remote user machine can attack the office servers thru VPN to internal network (U-Turn Hacking).
YOu might want to read this article as well:
http://www.mcpmag.com/columns/article.asp?EditorialsID=139
http://www.mcpmag.com/columns/article.asp?EditorialsID=139
Rdp just got less secure...
Cain & Abel v2.7.3 released
New features:
- RDPv4 session sniffer for APR
Cain can now perform man-in-the-middle attacks against the heavy encrypted Remote Desktop Protocol (RDP), the one used to connect to the Terminal Server service of a remote Windows computer. The entire session from/to the client/server is decrypted and saved to a text file. Client-side key strokes are also decoded to provide some kind of password interception. The attack can be completely invisible because of the use of APR (Arp Poison Routing) and other protocol weakness.
-rich
Cain & Abel v2.7.3 released
New features:
- RDPv4 session sniffer for APR
Cain can now perform man-in-the-middle attacks against the heavy encrypted Remote Desktop Protocol (RDP), the one used to connect to the Terminal Server service of a remote Windows computer. The entire session from/to the client/server is decrypted and saved to a text file. Client-side key strokes are also decoded to provide some kind of password interception. The attack can be completely invisible because of the use of APR (Arp Poison Routing) and other protocol weakness.
-rich
1. Change the default port to something different.
2. Make sure your staff is using STRONG passwords (no exceptions, enforce with a GPO).
3. Consider setting up a firewall and/or some sort of ACL (access list), if each user is ONLY allowed to work from home, force them to get a static IP, and place their static IPs on the list of ALLOWED inbound remote desktop connections.
Hope that points you in the right direction.