Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Terminal Services - How safe are we for remote admin?

Posted on 2006-06-30
15
Medium Priority
?
366 Views
Last Modified: 2010-04-20
I've been debating the safety of Terminal Services with a couple other IT professionals and I'd like to see if we can reach a consensus. Here's the facts of a typical situation:

1. Small network with just one file server
2. Windows 2003 Server or Windows 2003 Small business Server
3. Netgear or Linksys router with a cable modem attached.
4. Static IP address is assigned to the router or they are using DYNDNS.ORG
5. Router has port 3389 forwarding to the internal LAN address of the server.
6. The administrator account has permission to log in remotely via Terminal Services (RDP) as either a normal user or with the /console switch to gain console access.
7. Assume strong passwords are enforced on the server

The issue of debate is: How risky is this scenario?

I'd love to get as many opinions as I can.

Thanks!

Paul



0
Comment
Question by:paul_lcs
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
15 Comments
 
LVL 13

Expert Comment

by:prashsax
ID: 17019846
Rename your administrator account.
This provide an attacker a point to start attack.

If you want real secure access to your Server, you can consider using hamachi.(http:www.hamachi.cc)
Its a free vpn product, and can connect any number of machines securly.





0
 

Author Comment

by:paul_lcs
ID: 17020830
Thank you for the comment Prashsax. I'll check out the site you referenced.  

The question though is how great a risk is this without a VPN? Assuming remember that the accounts use strong passwords and not dictionary words, how can security be compromised?
0
 
LVL 13

Assisted Solution

by:prashsax
prashsax earned 400 total points
ID: 17020958
People do use Terminal Services over internet and with proper setup it can provide good security.

In Windows Server 2003, you can configure TS to use TLS for server authentication and data encryption. This is extremely important for anyone running TS over the Internet.

http://support.microsoft.com/?id=895433
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 400 total points
ID: 17022014
it isnt a bad setup that you have, and a very common one for small business without VPN capabilities, ideally, a VPN server would be more secure, but as long as you have strong authentication rules as mentioned above, you should be ok
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 1200 total points
ID: 17028218
Paul, a further lock down will be to restrict the source addresses. Set the external router/firewall/whatever to only allow port 3389 from selected source addresses to the servers.

If you are running SBS and ISA server or a good firewall, you can further lock it down by changing ths source ports and then redirecting them to 3389 as a further security measure.

In truth, ANY hole that you make in your external security perimter is exactly that; a hole. The best you can do is to minimise the risk of the hole.

Regards
Keith
0
 

Author Comment

by:paul_lcs
ID: 17207424
I guess if we can't leave it open longer, then we can't leave it open longer. This is an important topic and I was hoping to get more responses.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17235032
I am happy to continue working on this one subject to some feedback or further clarification/streamlining of the requirement.

Regards
keith
0
 

Author Comment

by:paul_lcs
ID: 17274001
Thanks Keith.

It seems there's a knee-jerk reaction when someone says "Hey, you've opened a port up so now your machine is exposed to the internet." I'm really trying to get my arms around whether this really is a serious and exploitable threat.

See Prashsax first response suggesting the use of a VPN. Of course VPN is fine, but that would require clientside configuration and ultimately, maintenance.

Paul
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1200 total points
ID: 17283033
This is true but it is fairly uniform across the board. SBS has one of the more secure functions though in that you can use the SBS wizards to actually create the VPN configuration locally with the CMAK (Connection Manager). The only VPN options you have with practically zero maintenance are the SSL VPN's (web-based) such as that provided on the Cisco concentrators or the newer all-in-one units and letting these call the //SBS_server/TSWEB.

Setting up the RADIUS services linked to the SSL concentrator for authentication, the user must authenticate first to get onto the concentrator from outside; the concentraor stops the user and presents the http//server/tsweb page allowing you to login to the server(s) you want to administrate but still needs the full username/password combo. Neat part is that the external user never actually gets onto the internal network as the concentrator proxies the requests plus zero maintenance on the client as it is called from a web browser.

Link the RADIUS into your active directory and you have a good, secure base, no remote administration on a client.

SBS is a cool product.

Regards
Keith

0
 

Author Comment

by:paul_lcs
ID: 17295085
Yeah, that does sound pretty cool, but in your assessment, how hard is it to set up and get working? I heard RADIUS wasn't real simple. - Lots of steps and lots to go wrong.

And what to do about those not running SBS?

Paul
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17297378
SBS (Microsoft) has its own RADIUS server and is wizard driven. The Concentrator just makes the call back to the SBS boxYes, it is another area that 'could' be a point of failure although in itself it is another security point. You make your decision based upon the level of security either the data you are protecting (or your company IT Policy) dictates.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17301177
Thank you :)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Greetings, Experts! First let me state that this website is top notch. I thoroughly enjoy the community that is shared here; those seeking help and those willing to sacrifice their time to help. It is fantastic. I am writing this article at th…
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question