Solved

Remote Desktop Connection Vulnerable-Showing up in Start Menu "Recently Accesed Applications"

Posted on 2003-11-20
31
1,159 Views
Last Modified: 2008-02-01
I'm worried.

I am using my computer just behind my wireless router but usually I keep it behind my wired router (double NAT).  In order to use a certain app, I have to forward the port directly to my pc.

well...

Since I've been doing this (about 2 weeks), I am now seeing the Remote Desktop Application show up like it's been used....

How can/where can I check to see if someone is calling it up or if my system is being comprimised?


thanks!
giz
0
Comment
Question by:gizmoadria
  • 13
  • 8
  • 6
  • +2
31 Comments
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
Hi gizmoadria,

Install a firewall, or use the build in one from winXP, if you're really worried about it, just try scanning for ad/spyware:

SpyBot-S&D

SpyBot-S&D is an adware and spyware detection and removal tool. This includes removal of certain advertising components, that may gather statistics as well as detection of various keylogging and other spy utilities. In addition, it also securely removes PC and Internet usage tracks, including browser history, temporary pages, cookies (with option to keep selected) and more. The program offers an attractive outlook-style interface that is easy to use and multi-lingual. SpyBot-S&D allows you to exclude selected cookies, programs or extensions from being reported, allowing you to prevent false positive messages for items that you dont want to be alerted of every time. It can even scan your download directory for files that have been downloaded, but not yet installed, allowing you to detect unwanted programs before you even install them. SpyBot produces a detailed and easy to understand report before it deletes any files and allows you to deselect any item that you do not want to be processed. In addition, a recovery feature allows you to restore your settings if needed. Very nice tool, that exceeds the capabilities of the popular Ad-Aware application.

http://www.webattack.com/download/dlspybot.shtml

Ad-aware

AdAware is a privacy tool, that scans your memory, registry, hard, removable and optical drives for known data-mining, aggressive advertising, and tracking components. It then lists the results and offers to remove or quarantine the components. The program detects a wide range of adware/spyware related issues and can be updated with the latest signatures via the built-in update utility. Please be advised that removing certain components may impact the functionality of effected software applications. You should fully read the included Ad-aware documentation before removing any files!

http://www.webattack.com/download/dladaware.shtml


HijackThis

HijackThis is a tool, that lists all installed browser add-on, buttons, starup items and allows you to inspect them, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. Intended for advanced users.

http://www.webattack.com/download/dlhijackthis.shtml

Keylogger Hunter

Keylogger Hunter is a program that attempts to detect any keyloggers that may be running on your computer. It performs a system analysis, which takes about 3-5 minutes and then produces a list of suspicious files (if any). It detected 2 out of 3 running keyloggers in our test. Future versions are planned to be shareware.

http://www.webattack.com/download/dlklhunter.shtml

KL-Detector

KL-Detector is designed to provide a way to find out whether your activity is being recorded with a keylogger application. It uses the fact that most keyloggers create a hidden log file on your hard drive and therefore scans for any suspicious activity during a test period that you have to initiate. Basically, it asks you to use the keyboard for several minutes, type some text or do similar activities, while it is monitoring your system to check if it can detect any suspicious logging activity. KL-Detector is intended for occasional use and not as a permanently running program, as normal PC activity may cause false positives. During our test, it did detect changes in a keylogger log file (that we installed), but it did not find the activity suspicious enough to warn us. Advanced users may get value by inspecting the logged items, however novice users should not rely on the results.

http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free

XCleaner is a privacy tool suite that detects and removes installed spyware and adware components and includes tools to securely delete files, edit the registry, disable startup programs and more. Additional features include IE home page protection, cookie, cache and history cleaning, built-in password generator and more. This free version also contains some additional feature options, however they are disabled and require upgrade to a full version. The spyware and adware scanning as well as many cleaning features however can be used freely.

http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster

SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage. This allows you to run Internet Explorer with Active-X enabled, but it will never download or even prompt you for any of the known ActiveX controls. All other Active-X controls or plug-ins will work fine. The SpywareBlaster database contains information on these known spyware Active-X controls and can be updated with the click of a button. The application windows displays a list of all controls that it is able to detect (this is not a list of what was found on your computer). The program cannot detect if you have any of the known objects already installed, but if you do, they will be disabled. The program also allows you to take a snapshot of your computer (certain settings) in its clean state and later revert many changes made by spyware and browser hijackers.

http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard

SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected. If this is the case, it initially blocks access to the file and then allows the user to select an action. SpywareGuard provides a fast scanning engine, signature-based scanning, heuristic/generic scanning, a control panel, and an online-update utility for downloading of definition updates. It does not replace your anti-virus protection, but instead detects programs that may cause privacy concerns. The list of detected programs includes AdBreak, AdultLinks/LinkZZ, Brilliant Digital, CommonName, Cytron, FreeScratchAndWin, FriendGreetings, HighTraffic, HotBar, IEDisco, iGetNet, Lop.com, MoneyTree Dialer and others.

http://www.webattack.com/download/dlspywareguard.shtml


Greetings,

LucF
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
Have you disabled remote desktop connection ?  If you are not using why unnecessarily open it ?

Sunray
0
 
LVL 32

Expert Comment

by:Luc Franken
Comment Utility
hmmz, didn't think of that.... ;-)
0
 

Author Comment

by:gizmoadria
Comment Utility
LucF,

I know about Spyware detection software.  My, you did list a bunch!

I guess what I'm looking for is a way to determine the last time that application was launched...
Is there a command called secedit?

I know about the eventviewer but....does that track all exe's?


thanks!
0
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 
LVL 21

Accepted Solution

by:
gemarti earned 300 total points
Comment Utility
Turn on Secruity Auditing. You can do this like so:

START | RUN | GPEDIT.MSC
Navigate to:
Local Computer | Computer Configuration | Windows Settings | Security Settings | Local Policy | Audit Policy

In this section you can enable Success Failure audits of your system being accessed.
0
 

Author Comment

by:gizmoadria
Comment Utility
germarti,

I'm liking where you're going with it.


Which of the items in Audit Policy would I turn on?  There are quite a few.  Then, to access the records, I would use hte event viewer?

Can I specify certain files?  (such as the remote desktop service/application)
?


thanks,
giz
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
Once you enable file and object access auditing, you'd then go to explorer, right click on the files and/or folders you want to audit, select sharing and security, theno n the security tab click on the advanced button. From there go to the auditing tab.
0
 

Author Comment

by:gizmoadria
Comment Utility
wow, Kenneniah....you're super smart!

Can we split points anymore????
0
 
LVL 21

Assisted Solution

by:gemarti
gemarti earned 300 total points
Comment Utility
>>Which of the items in Audit Policy would I turn on?  
I would turn on Success Failure for:
Audit Logon Events
Audit Management
Audit Logon Events
Audit Object Access
Audit Policy Change
Audit Privelage Use
Audit Process Tracking
Audit System Events


You can then monitor them :
START | RUN | EVENTVWR.MSC
Open:
Security log


>>Can I specify certain files?  (such as the remote desktop service/application)?
I'm checking.
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Kenneniah: Excellent suggestion. I forgot all about that.
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Yes you can split the points. It is just above wher you enter your comments:

   Split Points  
  Question Bookmark: Add  
   Post a Comment: (Question and Answer tips)
 ____________________________________________________________

"  text entry area "

____________________________________________________________
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
No need to split the points, it was Gemarti's idea to use auditing, I just helped explain how to (with a few wonderful typos in the process) :P
0
 

Author Comment

by:gizmoadria
Comment Utility
gemarti,

Waiting to hear back if you can specify certain files or directories to award points.

Rasing points to 350...
0
 
LVL 24

Assisted Solution

by:Kenneniah
Kenneniah earned 100 total points
Comment Utility
Yes you can specify  specific files/folders etc. Just do as I mentioned previously. Right click on the file etc etc etc.
For remote desktop you'd right click on %SystemRoot%\System32\mstsc.exe, select properties. Hit the Advanced button on the Security Tab. Then go to the auditing tab, hit add, then to watch for anyone just type in Everyone. It will then bring up a box where you can select what all you want to audit. After that, if you've turned on auditing using what Gemarti said, you can look in the security log in event viewer to see who, and from what computer is accessing those files.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Sorry, I obviously missed an email about this and I got busy with other projects and didn't get back to you on the files/folders question; but Kenneniah has the right idea.
0
 

Author Comment

by:gizmoadria
Comment Utility
Then choose "Replace Auditing Entries..."  correct?

0
 

Author Comment

by:gizmoadria
Comment Utility
Then choose "Replace Auditing Entries..."  correct?

0
 

Author Comment

by:gizmoadria
Comment Utility
I guess what I'm looking for is a log of attempts to access my computer or shares from other machines on my network (and beyond)

Having too many audit reports flushes the logs a lot sooner and causes me to have to sift through things.

Can either of you describe the exact steps to take to allow the following example:

1) I have an XP system.  It automatically has an administrative share of C$.  How can I only track success/failures of other systems/other users attempts?

Thanks!
Raising points to 400
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
Correct
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Where are you seeing "Replace Auditing Entries" ?

0
 
LVL 21

Assisted Solution

by:gemarti
gemarti earned 300 total points
Comment Utility
It is a normal practice on my servers to increas the log file size to 4096KB.

You can do this by opening eventvwr.msc (START | RUN | EVENTVWR.MSC)
Right click the security log
Click Properties
Set a Maximum Log size limit.

I assume you are planning on checking the logs since you are going through the trouble of setting up auditng...yes?
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
If reviewing the logs are part of your plan you can periodically export the logs to another file for archival purposes.

0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
>>Where are you seeing "Replace Auditing Entries" ?
You must be looking at your security log properties correct?

Why not tell it to "Not override events (clear log manually)" ? This will force you to get into the habit of reviewing the logs.

0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
He's talking about the "Replace auditing entries on all child objects etc." checkbox when changing it on a folder.
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Ah I see now. Thanks.
0
 

Author Comment

by:gizmoadria
Comment Utility
"she"

heh heh.

So if I change the log file size.

I guess what I'm seeing when I go in, the Event Viewer, I'd like to only see external attempts... Not every time I opened the file or folder...

I will look at this tonight again.

Thanks!
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
:) I always try to stay away from the gender stuff. :)
0
 
LVL 24

Expert Comment

by:Kenneniah
Comment Utility
Oops :)
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
>>I guess what I'm seeing when I go in, the Event Viewer, I'd like to only see external >>attempts... Not every time I opened the file or folder...

I don't think we can get you to that level. It may be possible to write a script that would parse out you logon/logoff attempts from the security log, but I'm not sure. I know there are script that you can run to view the logs, but the parsing of data is another story.
0
 
LVL 21

Expert Comment

by:gemarti
Comment Utility
Thank you.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Migration of Exchange mailbox can be done with the ExProfre.exe tool. But at times, when the ExProfre.exe tool migrates the Exchange Server user profile, it results in numerous synchronization problems. Synchronization error messages appear in the e…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now