ts for remote admin, secure?

[ol jeb]

i was wondering what other people think about using ts in win2k for remote administration. how secure do you think it is? i know you can set the encryption level to 128bit, but is that all that can be done, should/could any other steps be taken to make it more secure?

thoughts anyone?

[Highlander]

ts ???? Can you be more specific ???

[ol jeb]

yes, sorry. terminal services (aka - ts)

[paldie]

Terminal Services... As far as secure. What do you mean secure you mean opening TCP port 3389 through your firewall so you can connect to the server to remotely administrate it.. Well, think about it, you are opening a port on your firewall that allows traffic. It is as secure as that server at that point, because anyone who is able to port scan and detect the open port will be able to go to a logon prompt. Now if you have an external router where you have control over access list you can allow only port 3389 from a specific external IP address for added security..... How secure do you need to be it the question...

[ol jeb]

well, i was vague with my question and i apologize. let me try to redeem myself here.

i am well aware of opening the port on the firewall, and exposing that port to the meanies. i am more interested in the security of the actual connection, meaning is my session safe? can someone intercept my remote session and say for example capture usernames/passwords that i may be setting up, that's really what i am curious about?

[paldie]

Ahhh... much different question... IF you are running encryption the the sessions is encrypted and is secured. This is from Q232514

Terminal Services supports three levels of encryption: low, medium, and high.

Low Encryption

This level secures the user logon information and data sent to the server, but not the data sent from the server to the client. This encryption level is recommended for use when the network is secure.


Medium Encryption (Default Level)

This level encrypts the data transmission in both directions. This encryption level is recommended for use when the network is not secure, and outside North America.

NOTE : If you connect to a Windows 2000 server running Terminal Services set for Low or Medium encryption levels and use version 4.0 of the Terminal Server client, your data is encrypted using a 40-bit key. If you are using version 5 of the Terminal Server client, your data is encrypted with a 56 bit-key.


High Encryption

This level encrypts the data transmission in both directions using a 128-bit key. This encryption level is recommended for use when the network is not secure, and within North America.

[ol jeb]

m$ says that:

All levels use the standard RSA RC4 enyryption.

but we all know how bill & Co. like to *bend* the standards somewhat. i was wondering if anyone had heard m$ changing anything in the implementation in win2k. if so, then maybe my session data was at risk.

so far, terminal services in remote admin mode has been great. saved my company some money, since we didn't have to buy pcanywhere. (and i find winVNC kinda clunky, just my 2 cents though)

[paldie]

hate vnc and pcanywhere both we are using TS and RAdmin where needed

[ol jeb]

haven't tried RAdmin. how is it compared to windows TS?

[paldie]

RAdmin is made by Famatech http://www.radmin.com/ and I think there is a demo available. It has gotten great reviews is it small and fast remote control the runs as an NT service and can use NT security for authenication.. I like it but peoples tastes are different. I use it for remote control of NT 4 server still on my Net and for client controll... I use TS an all W2K servers. I am actually use the Remote Desktop Client (can be found on the XP Pro CD) on my W2K Pro Workstation to logon to the W2K for Remote Administration. There is also a TS Snap in for MMC with is really nice bacause you can have multiple server logged in and bounce back and forth within the MMC...