Terminal Server Security - PowerPoint PPT Presentation

1 / 42
About This Presentation
Title:

Terminal Server Security

Description:

Windows Anywhere ... Remote 'experience' turns off wallpaper, visual styles, etc., depending on network connection ... on all Windows Server 2003 platforms, ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 43
Provided by: ilin2
Category:

less

Transcript and Presenter's Notes

Title: Terminal Server Security


1
Terminal Server Security
  • Marcus Murray

2
Innehåll
  • Windows Server 2003 Terminal Services
  • Utmaning säkerhetsmässigt
  • Kända hot mot Terminal Server
  • Nedlåsning av en Terminalserver
  • Nätverksarkitektur för att säkra Access till TS

3
Windows Server 2003 Terminal Services
4
Benefits of Terminal Server
5
Client-Side Features
  • Remote Desktop Protocol (RDP) v 5.2
  • Full client included with Windows XP
  • Full (.MSI), MMC and Web (ActiveX) downloads
  • No separate Connection Manager
  • Automatic reconnects
  • Client resource redirection features
  • Resource redirection
  • Slow link performance optimizations

6
Client-Side Features (continued)
  • Remote Desktop Web Connection
  • Remote Desktops Administration Tool

7
Client-Side Features (continued)
  • Specify Computer, User name, Password, and Domain
  • Save settings

8
Client-Side Features (continued)
  • From 256 color to True Color (24 bit)
  • Resolution to 1600 x 1200
  • Full screen capabilities

9
Client-Side Features (continued)
  • Audio output
  • Windows key combos
  • Disk drives and printers (local and network)
  • Serial devices
  • Smart card
  • Time Zone
  • Clipboard (files)

10
Client-Side Features (continued)
  • Launch entire desktop or specific application

11
Client-Side Features (continued)
  • Network and Performance Improvements
  • Increased network bandwidth savings over RDP 5.0
  • Remote experience turns off wallpaper, visual
    styles, etc., depending on network connection
  • Auto-reconnect
  • 128-bit bidirectional encryption
  • Backward compatible with RDP 5.0 and RDP 4.0

12
Server-Side Features
  • Remote Desktop for Administration provides
    Console redirectioncan now connect to console
    session
  • SERVERNAME /console or mstsc.exe /console
  • Can establish two connections plus one console
    connection
  • Can use Remote Assistance to share a session
    between administrators
  • At console, session is lockedshows user who
    connected to console as user who locked the
    console
  • Remote Desktops Administration Tool

13
Server-Side Features (continued)
  • Installed by default on all Windows Server 2003
    platforms, but not enabled
  • Modify in System properties, Remote tab
  • Can also enable/disable via Windows Management
    Instrumentation (WMI) or Windows Management
    Instrumentation Command (WMIC)
  • RDToggle

14
Server-Side Features (continued)
  • Terminal Server mode, formerly Terminal Server
    Application mode
  • Can install Terminal Server in Add/Remove
    Programs or Manage Your Server
  • Can also install during unattended installation

15
Server-Side Features (continued)
  • Security Features
  • Remote Desktop Users Group
  • Security Policy Editor
  • 128-Bit Encryption
  • FIPS Compliance
  • Software Restriction Policies
  • License Server Security Group
  • Remote Connection Permissions
  • Smart Card support

16
Utmaning säkerhetsmässigt
  • Användarna skall kunna exekvera kod direkt på en
    server
  • Tillgänglighet från externa nätverk (internet)

17
Terminal Server ur en hackers perspektiv
  • Hitta TS.
  • Om publikt publicerade -Sökbara via intenet
  • Bryta sig in i TS
  • Password attack ex. TSGrinder
  • Password kan extraheras ur Rdp filer.
  • Root
  • Hitta kommandotolk, accessa drivar, eskalera priv
    - Lokala exploits

18
Söka efter Terminal servrar på Google
  • /Tsweb/default.htm
  • Tsweb siteSe
  • /Rdp
  • Remote Desktop Web Connection
  • "Send logon information for this connection"

19
Extrahera lösenord ur RDP-filer med Cain
20
Securing a Terminal Server
  • Step by step

21
Whitepapers
  • Windows Server 2003 Terminal Server Security
  • Published February 24. 2004
  • Locking Down Windows Server 2003 Terminal Server
    Sessions
  • Published July, 2003

22
TS installation
23
During installation, choose the Full Security
Option
24
Use Group Policy to lock down your terminal
servers and client computers
  • Whitepaper
  • Locking Down Windows Server 2003 Terminal Server
    Sessions

25
Use the highest level of encryption your
organization can support
  • Low (56-bit)
  • Client Compatible
  • FIPS Compliant (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
  • High (128 bit)

26
Use the Remote Desktop Users group to grant
access to end-users
27
Using Software Restriction Policies to Protect
Against Unauthorized Software
28
Use Secure Configuration Settings for your RDP
Connections
29
Enable the Internet Connection Firewall
30
Use strong passwords throughout your organization
31
Keep virus scanners up to date
32
Keep all software patches up to date
33
Use encryption to secure connections using Remote
Desktop Web Connection
  • Protection from TS spoofing
  • SSL does not protect rdp traffic, (yet)

34
Do not install Terminal Server on a Domain
Controller
35
-- Enhanced Security Options --
36
Consider Using a Firewall
37
Use Restricted groups policy to manage the Remote
Desktops User Group at the domain or OU level
38
Mer info
  • Whitepapers
  • Windows Server 2003 Terminal Server Security
  • Published February 24. 2004
  • Locking Down Windows Server 2003 Terminal Server
    Sessions
  • Published July, 2003

39
Consider Using Smart Cards for Strong
Authentication
40
Consider Using a VPN tunnel to Secure Terminal
Services connections over the Internet
41
Consider Using IPSec Policy to Secure Terminal
Server Communications over your network
42
Slut ?
Write a Comment
User Comments (0)
About PowerShow.com