Securing Terminal Services
Results 1 to 10 of 10

Thread: Securing Terminal Services

  1. #1

    Securing Terminal Services

    We're currently using a means of remote access to our network that is dangerously insecure, I'm afraid. I could definitely use some advice on how to resolve this.

    Presently, we have two Windows 2000 terminal servers on our network. Every user can log into these terminal servers remotely via a terminal services connection through the Internet. All that's needed is the IP address of the terminal server and the user name and password.

    From what I've been told, someone could intercept data moving between the remote user and the terminal server.

    One solution that has been suggested is that we set up a VPN so that the WAN connection to the terminal server is tunneled and thus the data, even if interecepted, would be unintelligible.

    That being the case, could you guys recommend either
    (1) What you think the best VPN solution might be for these remotely accessed terminal servers, or
    (2) What other solutions might be better than a VPN.

    Thanks!

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    You can use the built in IPsec VPN MS has...Have a server to authenticate the vpn connection...then route to the terminal servers

    Or there are VPN devices...which are on each end...so the servers have on...and all users have one.

    Guess it depends on your budget???

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    That's the fun thing -- There is no "budget" per se, it's just a matter of how much I can talk my boss into spending. Heck, if I could get them to just give me a budget, I'd be blazing trails by now!

    Never heard of that MS VPN, I'll have to google that and do some research on it. What's your opinion of its quality?

  4. #4
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    You want to google Point-to-Point Tunneling Protocol (PPTP). It's not really IPSec, but Microsofts own version of a VPN.

    [edit]
    You might want to read this article, it does a fairly good job in describing PPTP and also it's weaknesses

    http://www.windowsitpro.com/Windows/...88/pg/2/2.html

    [/edit]
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  5. #5
    Member
    Join Date
    Oct 2005
    Posts
    39
    I thought that VPN services were used to securely connect 2 or more "sites" or LAN's (offices, locations)

    For terminal access openssh should be sufficient. Or telnet tuneled through SSL or or cryptcat.

    http://www.openssh.com/
    UNIX IS user friendly, it\'s just very choosy about who it calls a friend.

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well yeah...you can us it to connect sites...or remote users

    MS has the new IPsec vpn...which is supposed to be more secure. Older clients still have to use the pptp though to connect

    Have been using vpns for years...no issues

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    From what I read, OpenSSH is Unix/Linux only though. Is there a Windows compatible alternative that you recommend?

  8. #8
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    Did not realize that Morgan, thanks for the update. I'm more a Unix person and wasn't aware they actually implemented IPSec.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    That sounds like the problem I had when I came in here... Terminal Services open to the world... I just went into routing and remote access and setup a VPN.

    I think that the openSSH solution is too complex if you have non-IT people using it... It's too complex compared to the VPN solution in any case...

    With things like TSGrinder (and subsequently other tools such as ProbeTS and TSEnum from the same site)... having TS open to the world is scary... I do it with my home system and sometimes that worries me.

    Available From: http://www.hammerofgod.com/download.htm
    TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
    TSGringer is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.
    Note that the tool requires the Microsoft Simulated Terminal Server Client tool, "roboclient," which may be found here:
    ftp://ftp.microsoft.com/ResKit/win2000/roboclient.zip

    There are still a couple of bugs we are working out- for instance, we've got a problem with using "l337" conversion with more than 2 threads open. There have also been requests to support standard brute-force-via-character-iteration attacks, and we will get to this when we can. In the meantime, enjoy the tool, and let me know how it works for you.
    For those interested in the Blackhat presentation Ryan Russell and I made in Vegas, you can find that here:
    ttp://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mullen.pdf

    Go nuts!

    While it's not the end-all.. for a quick, low cost, easy to implement solution is to go into routing and remote access and quickly enable VPN... Takes less than 2 minutes.. but makes you feel much better.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Ok, got an update on this issue. I'm looking at a couple of options.

    We use a company by the name of TelCove for our T1 line, and they just started a new VPN service. It looks impressive and sufficient for our needs -- everything going between our servers and remote users would pass through TelCove's VPN, managed by their staff 24/7. Between $400-500/month, we could make use of this service pretty easily. Here's a short description of their service.

    On the other hand, we're also looking at upgrading our current W2k network to Windows 2003. I've been told that Windows 2003 terminal services has built in encryption. If this is the case, would that then be sufficient enough security wise? Should we just upgrade to 2003 and forego the VPN route?

    Let me know what you think and what you know about these two possible solutions. I want to make sure we have the best security that is both effective and practical.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •