Announcement

Collapse
No announcement yet.

Is Terminal Server Safe?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Is Terminal Server Safe?

    Is Terminal Server in Application mode running on Windows 2003 SP-1 secure over the Internet? I am using the "High" encription level and the server is current with all patches from Microsoft. It has a Nat'ed IP address.

    Thanks in advance.

  • #2
    Re: Is Terminal Server Safe?

    Well... When you say "secure" - what you mean? What are the threats? What you need to secure? etc.
    This the basic step in any security plan...
    Best Regards,

    Yuval Sinay

    LinkedIn: https://www.linkedin.com/in/yuval14, Blog: http://blogs.microsoft.co.il/blogs/yuval14

    Comment


    • #3
      Re: Is Terminal Server Safe?

      ye, define "secure", I hope you have a VPN.
      MCP, MCSA+messaging, MCDBA, OCA.

      Comment


      • #4
        Re: Is Terminal Server Safe?

        Certainly VPN is best.

        BUT, I believe there is a certain level of security on RDP / Remote Desktop Connection that makes it workable "as-is"

        See these two threads:

        http://forums.petri.com/showthread.php?t=13456

        http://forums.petri.com/showthread.php?t=13185

        Maybe we can get PaulH to jump in as he has done the first sniffer test on this I've seen.
        Last edited by rvalstar; 19th March 2007, 21:44. Reason: typo
        Cheers,

        Rick

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

        Comment


        • #5
          Re: Is Terminal Server Safe?

          I did a network sniffer test to see if I could "read" the username or password in the packets that were sent over an RDP session. Usually, I have been careful to join the VPN first, then use Terminal Services Client (or RDP) to a local IP address. Recently, I have been trying to find out if it is secure.

          As the other guys are saying, it all depends on how secure is "secure".

          For my end users, I would say that you should get them to join the VPN. But for occasional remote administration use, I am happy to port forward 3389 and use RDP without joining the VPN first. That is because my packet sniffer tests showed no username or password in clear text at all, and the documentation from MS (although it goes all around the houses) does indicate to me that by default, encryption is now ON in recent implementations of RDP.

          So do let us know about what you intend to use TS for, although having said that, once it is setup it's uses may change in the future.

          Best wishes,
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: Is Terminal Server Safe?

            Thanks for the valuable input Paul. Makes it all the more real in this world or PowerPoint slide decks.

            As I recall in an earlier thread, you mentioned seeing the clear text username. Has you position on that changed or did I misread (likely) the earlier thread?

            Also, did you use ethereal or another sniffer so we all can (not me, mind you) see this for ourselves?
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: Is Terminal Server Safe?

              Nope, you're right: I thought I'd seen it but it came out that it was in the packets for another reason, unrelated to my RDP session.

              I had a whole bunch of packets to look through, and I didn't start a new session when I did the search. My username came up as a result of an earlier (unrelated) network thing. When I cleared the cache, and started with a clean sheet, I could verify that neither the username nor the password was visible in the network packets.

              I should have edited my other post to make that clearer. I had to carry out the sniff several times to make sure, and I wanted to know what other data was clear text also. There wasn't any.

              Anyway, I used Wireshark, which used to be Ethereal, which (once I'd got the hang of clearing out the session ! ) was pretty easy to use. But I'm no hacker, so I am sure there are some clever guys out there who could tap into your RDP session, so for real secure requirements, I'd still say join the VPN first.
              Best wishes,
              PaulH.
              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

              Comment


              • #8
                Re: Is Terminal Server Safe?

                Do look at this:

                http://en.wikipedia.org/wiki/Remote_Desktop_Protocol

                and man-in-the-middle issues as I believe this article supports all of our contentions that RDP over VPN (or HTTPS) is best. For RDP over HTTPS, see this:

                http://support.microsoft.com/kb/925876

                It mentions a "TS Gateway server" or "Terminal Server Gateway" which could be an alternative to secure VPN for RDP (also called RDC or TSC).

                Unfortunately, I have no knowledge in this area so setting this up is a mystery to me.
                Cheers,

                Rick

                ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                Comment


                • #9
                  Re: Is Terminal Server Safe?

                  Yep, good Wiki article, Rick.

                  I'd better mention another thing that I do just for completeness - I port forward 3389 as mentioned to avoid having to setup a VPN if I'm just administering a SOHO server, then I login as a domain user who is also a member of the remote desktop users group. Then whenever I want to run anything, usually the MMC, I runas administrator.

                  I don't know if this improves security on the network traffic side of things but I feel it's best.

                  So on balance, for occasional admin use: RDP is encrypted by default and so fairly safe. For day-to-day Temrinal Server use, it would be best to have them join the VPN.
                  Best wishes,
                  PaulH.
                  MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                  Comment


                  • #10
                    Re: Is Terminal Server Safe?

                    I can only add that a guy working with me did at his previous job some tests, that revealed that:
                    - the RDP5.2 protocol does encrypt the credentials, but with the proper tool, they were recoverable;
                    - the new client, RDP6.0, does encrypt the credentials too, and they weren't able to break the key. This is, after all, only a matter of time.

                    No VPN was used during the tests.

                    Sorin Solomon


                    In order to succeed, your desire for success should be greater than your fear of failure.
                    -

                    Comment


                    • #11
                      Re: Is Terminal Server Safe?

                      Thanks guys, I appricate the help.

                      BS

                      Comment

                      Working...
                      X