JP_TechGroup
asked on
Secure RDP Sessions to Windows Server 2003 with SSH like key?
Is it possible to set up a public / private key arrangement to secure Windows terminal services, much like Linux secures ssh connections?
ASKER
OYE! and OYE again.
Heaven forbid it should be easy!
Unfortunately, my users are doing well if they can remember which icon to click on and what their password is. Adding another layer of user interactive security is not an option. Thus, I was hoping for a public/private key setup that need only be configured once on each machine.
Are there other commercial alternatives that are seamless or at least more seamless the ssh or vpn? Google isn't bringing up much. Thanks.
Heaven forbid it should be easy!
Unfortunately, my users are doing well if they can remember which icon to click on and what their password is. Adding another layer of user interactive security is not an option. Thus, I was hoping for a public/private key setup that need only be configured once on each machine.
Are there other commercial alternatives that are seamless or at least more seamless the ssh or vpn? Google isn't bringing up much. Thanks.
The latest version of the RDP client allows the client to authenticate the server via standard certificates over TLS. This is if you are concerned about man in the middle attacks over your LAN. If you are connecting over the Internet, you should be using Remote Desktop Gateway, which wraps the RDP traffic inside SSL/TLS and uses computer certificates to authenticate the servers and encrypt the connections. This only works with Windows XP SP3 clients and better and Windows 2008 Servers or better.
http://technet.microsoft.com/en-us/library/cc770833.aspx
http://technet.microsoft.com/en-us/library/cc732713.aspx
http://blogs.technet.com/b/askperf/archive/2008/02/16/ws2008-network-level-authentication-and-encryption.aspx
http://technet.microsoft.com/en-us/library/cc770833.aspx
http://technet.microsoft.com/en-us/library/cc732713.aspx
http://blogs.technet.com/b/askperf/archive/2008/02/16/ws2008-network-level-authentication-and-encryption.aspx
ASKER
In title:
Secure RDP Sessions to Windows Server 2003...
:)
Secure RDP Sessions to Windows Server 2003...
:)
Sorry, I missed that. Use TS Gateway or IPSec.
ASKER
Ok, riddle me this. How is vpn any more secure against brute force attacks? The MITM attacks are less of a concern then this much more real threat, which we are currently dealing with. What am I missing?
VPN is easy to configure with certs. That's how. Also with multiple rdp hosts you increase your points of entry but with VPN you have a single point to monitor
What exactly is the threat model that you are concerned with?
RDP is encrypted to begin with, but is subject to MITM because the client doesn't normally authenticate the end point, and you can't authenticate it with Windows 2003. RDP uses 128 bit RC4 or TLS, so crptographic attack against the data stream isn't practical. If you connect to TS Gateway (available on SBS 2003 or Windows 2008, can be used with 2003 TS server), the RDP protocol in tunneled inside an SSL session, which is authenticated via computer certificates just like SSL in your browser. That is very secure from an authenticated endpoint and data privacy standpoint.
RDP is encrypted to begin with, but is subject to MITM because the client doesn't normally authenticate the end point, and you can't authenticate it with Windows 2003. RDP uses 128 bit RC4 or TLS, so crptographic attack against the data stream isn't practical. If you connect to TS Gateway (available on SBS 2003 or Windows 2008, can be used with 2003 TS server), the RDP protocol in tunneled inside an SSL session, which is authenticated via computer certificates just like SSL in your browser. That is very secure from an authenticated endpoint and data privacy standpoint.
It is possible to use client certificate authentication with recent versions of MSTSC - you need to have a corporate CA, but that's standard as well these days.
ASKER
Kevin,
We are experiencing a prolonged brute force attack on our terminal server from multiple IPs which change every 24 hours or so. Ideally, I would like to prevent anyone that does not have a key or certificate installed on their PC which matches a corresponding key or certificate from even being able to connect.
We are experiencing a prolonged brute force attack on our terminal server from multiple IPs which change every 24 hours or so. Ideally, I would like to prevent anyone that does not have a key or certificate installed on their PC which matches a corresponding key or certificate from even being able to connect.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
remark Block traffic from International Networks and invalid networks
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 57.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 61.0.0.0 0.255.255.255 any
deny ip 62.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 80.0.0.0 0.255.255.255 any
deny ip 81.0.0.0 0.255.255.255 any
deny ip 82.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 175.0.0.0 0.255.255.255 any
deny ip 176.0.0.0 0.255.255.255 any
deny ip 177.0.0.0 0.255.255.255 any
deny ip 178.0.0.0 0.255.255.255 any
deny ip 179.0.0.0 0.255.255.255 any
deny ip 180.0.0.0 0.255.255.255 any
deny ip 181.0.0.0 0.255.255.255 any
deny ip 182.0.0.0 0.255.255.255 any
deny ip 183.0.0.0 0.255.255.255 any
deny ip 185.0.0.0 0.255.255.255 any
deny ip 186.0.0.0 0.255.255.255 any
deny ip 187.0.0.0 0.255.255.255 any
deny ip 189.0.0.0 0.255.255.255 any
deny ip 190.0.0.0 0.255.255.255 any
deny ip 193.0.0.0 0.255.255.255 any
deny ip 194.0.0.0 0.255.255.255 any
deny ip 195.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 200.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 202.0.0.0 0.255.255.255 any
deny ip 210.0.0.0 0.255.255.255 any
deny ip 211.0.0.0 0.255.255.255 any
deny ip 212.0.0.0 0.255.255.255 any
deny ip 213.0.0.0 0.255.255.255 any
deny ip 217.0.0.0 0.255.255.255 any
deny ip 218.0.0.0 0.255.255.255 any
deny ip 219.0.0.0 0.255.255.255 any
deny ip 220.0.0.0 0.255.255.255 any
deny ip 221.0.0.0 0.255.255.255 any
deny ip 222.0.0.0 0.255.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 1.0.0.0 0.255.255.255 any
deny ip 2.0.0.0 0.255.255.255 any
deny ip 5.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 23.0.0.0 0.255.255.255 any
deny ip 27.0.0.0 0.255.255.255 any
deny ip 31.0.0.0 0.255.255.255 any
deny ip 36.0.0.0 0.255.255.255 any
deny ip 37.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 42.0.0.0 0.255.255.255 any
deny ip 57.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 0.255.255.255 any
deny ip 59.0.0.0 0.255.255.255 any
deny ip 60.0.0.0 0.255.255.255 any
deny ip 61.0.0.0 0.255.255.255 any
deny ip 62.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 0.255.255.255 any
deny ip 79.0.0.0 0.255.255.255 any
deny ip 80.0.0.0 0.255.255.255 any
deny ip 81.0.0.0 0.255.255.255 any
deny ip 82.0.0.0 0.255.255.255 any
deny ip 83.0.0.0 0.255.255.255 any
deny ip 84.0.0.0 0.255.255.255 any
deny ip 85.0.0.0 0.255.255.255 any
deny ip 86.0.0.0 0.255.255.255 any
deny ip 87.0.0.0 0.255.255.255 any
deny ip 88.0.0.0 0.255.255.255 any
deny ip 89.0.0.0 0.255.255.255 any
deny ip 90.0.0.0 0.255.255.255 any
deny ip 91.0.0.0 0.255.255.255 any
deny ip 92.0.0.0 0.255.255.255 any
deny ip 93.0.0.0 0.255.255.255 any
deny ip 94.0.0.0 0.255.255.255 any
deny ip 95.0.0.0 0.255.255.255 any
deny ip 100.0.0.0 0.255.255.255 any
deny ip 101.0.0.0 0.255.255.255 any
deny ip 102.0.0.0 0.255.255.255 any
deny ip 103.0.0.0 0.255.255.255 any
deny ip 104.0.0.0 0.255.255.255 any
deny ip 105.0.0.0 0.255.255.255 any
deny ip 106.0.0.0 0.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 110.0.0.0 0.255.255.255 any
deny ip 111.0.0.0 0.255.255.255 any
deny ip 112.0.0.0 0.255.255.255 any
deny ip 113.0.0.0 0.255.255.255 any
deny ip 114.0.0.0 0.255.255.255 any
deny ip 115.0.0.0 0.255.255.255 any
deny ip 116.0.0.0 0.255.255.255 any
deny ip 117.0.0.0 0.255.255.255 any
deny ip 118.0.0.0 0.255.255.255 any
deny ip 119.0.0.0 0.255.255.255 any
deny ip 120.0.0.0 0.255.255.255 any
deny ip 121.0.0.0 0.255.255.255 any
deny ip 122.0.0.0 0.255.255.255 any
deny ip 123.0.0.0 0.255.255.255 any
deny ip 124.0.0.0 0.255.255.255 any
deny ip 125.0.0.0 0.255.255.255 any
deny ip 126.0.0.0 0.255.255.255 any
deny ip 175.0.0.0 0.255.255.255 any
deny ip 176.0.0.0 0.255.255.255 any
deny ip 177.0.0.0 0.255.255.255 any
deny ip 178.0.0.0 0.255.255.255 any
deny ip 179.0.0.0 0.255.255.255 any
deny ip 180.0.0.0 0.255.255.255 any
deny ip 181.0.0.0 0.255.255.255 any
deny ip 182.0.0.0 0.255.255.255 any
deny ip 183.0.0.0 0.255.255.255 any
deny ip 185.0.0.0 0.255.255.255 any
deny ip 186.0.0.0 0.255.255.255 any
deny ip 187.0.0.0 0.255.255.255 any
deny ip 189.0.0.0 0.255.255.255 any
deny ip 190.0.0.0 0.255.255.255 any
deny ip 193.0.0.0 0.255.255.255 any
deny ip 194.0.0.0 0.255.255.255 any
deny ip 195.0.0.0 0.255.255.255 any
deny ip 197.0.0.0 0.255.255.255 any
deny ip 200.0.0.0 0.255.255.255 any
deny ip 201.0.0.0 0.255.255.255 any
deny ip 202.0.0.0 0.255.255.255 any
deny ip 210.0.0.0 0.255.255.255 any
deny ip 211.0.0.0 0.255.255.255 any
deny ip 212.0.0.0 0.255.255.255 any
deny ip 213.0.0.0 0.255.255.255 any
deny ip 217.0.0.0 0.255.255.255 any
deny ip 218.0.0.0 0.255.255.255 any
deny ip 219.0.0.0 0.255.255.255 any
deny ip 220.0.0.0 0.255.255.255 any
deny ip 221.0.0.0 0.255.255.255 any
deny ip 222.0.0.0 0.255.255.255 any
deny ip 223.0.0.0 0.255.255.255 any
ASKER
Accurate answer, just not the answer I wanted... and frankly Microsoft, not the answer I should have to accept.
What you can use is a VPN or you can implement an RDP/SSH combo
http://www.softwaresecretweapons.com/jspwiki/windowsremotedesktopoverssh