Securing Terminal Services

[AngelicKnight]

We're currently using a means of remote access to our network that is dangerously insecure, I'm afraid. I could definitely use some advice on how to resolve this.

Presently, we have two Windows 2000 terminal servers on our network. Every user can log into these terminal servers remotely via a terminal services connection through the Internet. All that's needed is the IP address of the terminal server and the user name and password.

From what I've been told, someone could intercept data moving between the remote user and the terminal server.

One solution that has been suggested is that we set up a VPN so that the WAN connection to the terminal server is tunneled and thus the data, even if interecepted, would be unintelligible.

That being the case, could you guys recommend either
(1) What you think the best VPN solution might be for these remotely accessed terminal servers, or
(2) What other solutions might be better than a VPN.

Thanks!

[morganlefay]

You can use the built in IPsec VPN MS has...Have a server to authenticate the vpn connection...then route to the terminal servers

Or there are VPN devices...which are on each end...so the servers have on...and all users have one.

Guess it depends on your budget???

MLF

[AngelicKnight]

That's the fun thing -- There is no "budget" per se, it's just a matter of how much I can talk my boss into spending. Heck, if I could get them to just give me a budget, I'd be blazing trails by now!

Never heard of that MS VPN, I'll have to google that and do some research on it. What's your opinion of its quality?

[Opus00]

You want to google Point-to-Point Tunneling Protocol (PPTP). It's not really IPSec, but Microsofts own version of a VPN.

[edit]
You might want to read this article, it does a fairly good job in describing PPTP and also it's weaknesses

http://www.windowsitpro.com/Windows/...88/pg/2/2.html

[/edit]

[Kosmograd]

I thought that VPN services were used to securely connect 2 or more "sites" or LAN's (offices, locations)

For terminal access openssh should be sufficient. Or telnet tuneled through SSL or or cryptcat.

http://www.openssh.com/

[morganlefay]

Well yeah...you can us it to connect sites...or remote users

MS has the new IPsec vpn...which is supposed to be more secure. Older clients still have to use the pptp though to connect

Have been using vpns for years...no issues

MLF

[AngelicKnight]

From what I read, OpenSSH is Unix/Linux only though. Is there a Windows compatible alternative that you recommend?

[Opus00]

Did not realize that Morgan, thanks for the update. I'm more a Unix person and wasn't aware they actually implemented IPSec.

[HTRegz]

Hey Hey,

That sounds like the problem I had when I came in here... Terminal Services open to the world... I just went into routing and remote access and setup a VPN.

I think that the openSSH solution is too complex if you have non-IT people using it... It's too complex compared to the VPN solution in any case...

With things like TSGrinder (and subsequently other tools such as ProbeTS and TSEnum from the same site)... having TS open to the world is scary... I do it with my home system and sometimes that worries me.

Available From: http://www.hammerofgod.com/download.htm

TSGrinder is the first production Terminal Server brute force tool, and is now in release 2. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts.
TSGringer is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection.
Note that the tool requires the Microsoft Simulated Terminal Server Client tool, "roboclient," which may be found here:
ftp://ftp.microsoft.com/ResKit/win2000/roboclient.zip

There are still a couple of bugs we are working out- for instance, we've got a problem with using "l337" conversion with more than 2 threads open. There have also been requests to support standard brute-force-via-character-iteration attacks, and we will get to this when we can. In the meantime, enjoy the tool, and let me know how it works for you.
For those interested in the Blackhat presentation Ryan Russell and I made in Vegas, you can find that here:
ttp://www.blackhat.com/presentations/bh-usa-03/bh-us-03-mullen.pdf

Go nuts!

While it's not the end-all.. for a quick, low cost, easy to implement solution is to go into routing and remote access and quickly enable VPN... Takes less than 2 minutes.. but makes you feel much better.

Peace,
HT

[AngelicKnight]

Ok, got an update on this issue. I'm looking at a couple of options.

We use a company by the name of TelCove for our T1 line, and they just started a new VPN service. It looks impressive and sufficient for our needs -- everything going between our servers and remote users would pass through TelCove's VPN, managed by their staff 24/7. Between $400-500/month, we could make use of this service pretty easily. Here's a short description of their service.

On the other hand, we're also looking at upgrading our current W2k network to Windows 2003. I've been told that Windows 2003 terminal services has built in encryption. If this is the case, would that then be sufficient enough security wise? Should we just upgrade to 2003 and forego the VPN route?

Let me know what you think and what you know about these two possible solutions. I want to make sure we have the best security that is both effective and practical.