Title: Terminal Server Security
1Terminal Server Security
2Innehåll
- Windows Server 2003 Terminal Services
- Utmaning säkerhetsmässigt
- Kända hot mot Terminal Server
- Nedlåsning av en Terminalserver
- Nätverksarkitektur för att säkra Access till TS
3Windows Server 2003 Terminal Services
4Benefits of Terminal Server
5Client-Side Features
- Remote Desktop Protocol (RDP) v 5.2
- Full client included with Windows XP
- Full (.MSI), MMC and Web (ActiveX) downloads
- No separate Connection Manager
- Automatic reconnects
- Client resource redirection features
- Resource redirection
- Slow link performance optimizations
6Client-Side Features (continued)
- Remote Desktop Web Connection
- Remote Desktops Administration Tool
7Client-Side Features (continued)
- Specify Computer, User name, Password, and Domain
- Save settings
8Client-Side Features (continued)
- From 256 color to True Color (24 bit)
- Resolution to 1600 x 1200
- Full screen capabilities
9Client-Side Features (continued)
- Audio output
- Windows key combos
- Disk drives and printers (local and network)
- Serial devices
- Smart card
- Time Zone
- Clipboard (files)
10Client-Side Features (continued)
- Launch entire desktop or specific application
11Client-Side Features (continued)
- Network and Performance Improvements
- Increased network bandwidth savings over RDP 5.0
- Remote experience turns off wallpaper, visual
styles, etc., depending on network connection - Auto-reconnect
- 128-bit bidirectional encryption
- Backward compatible with RDP 5.0 and RDP 4.0
12Server-Side Features
- Remote Desktop for Administration provides
Console redirectioncan now connect to console
session - SERVERNAME /console or mstsc.exe /console
- Can establish two connections plus one console
connection - Can use Remote Assistance to share a session
between administrators - At console, session is lockedshows user who
connected to console as user who locked the
console - Remote Desktops Administration Tool
13Server-Side Features (continued)
- Installed by default on all Windows Server 2003
platforms, but not enabled - Modify in System properties, Remote tab
- Can also enable/disable via Windows Management
Instrumentation (WMI) or Windows Management
Instrumentation Command (WMIC) - RDToggle
14Server-Side Features (continued)
- Terminal Server mode, formerly Terminal Server
Application mode - Can install Terminal Server in Add/Remove
Programs or Manage Your Server - Can also install during unattended installation
15Server-Side Features (continued)
- Security Features
- Remote Desktop Users Group
- Security Policy Editor
- 128-Bit Encryption
- FIPS Compliance
- Software Restriction Policies
- License Server Security Group
- Remote Connection Permissions
- Smart Card support
16Utmaning säkerhetsmässigt
- Användarna skall kunna exekvera kod direkt på en
server - Tillgänglighet från externa nätverk (internet)
17Terminal Server ur en hackers perspektiv
- Hitta TS.
- Om publikt publicerade -Sökbara via intenet
- Bryta sig in i TS
- Password attack ex. TSGrinder
- Password kan extraheras ur Rdp filer.
- Root
- Hitta kommandotolk, accessa drivar, eskalera priv
- Lokala exploits
18Söka efter Terminal servrar på Google
- /Tsweb/default.htm
- Tsweb siteSe
- /Rdp
- Remote Desktop Web Connection
- "Send logon information for this connection"
19Extrahera lösenord ur RDP-filer med Cain
20Securing a Terminal Server
21Whitepapers
- Windows Server 2003 Terminal Server Security
- Published February 24. 2004
- Locking Down Windows Server 2003 Terminal Server
Sessions - Published July, 2003
22TS installation
23During installation, choose the Full Security
Option
24Use Group Policy to lock down your terminal
servers and client computers
- Whitepaper
- Locking Down Windows Server 2003 Terminal Server
Sessions
25Use the highest level of encryption your
organization can support
- Low (56-bit)
- Client Compatible
- FIPS Compliant (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
- High (128 bit)
26Use the Remote Desktop Users group to grant
access to end-users
27Using Software Restriction Policies to Protect
Against Unauthorized Software
28Use Secure Configuration Settings for your RDP
Connections
29Enable the Internet Connection Firewall
30Use strong passwords throughout your organization
31Keep virus scanners up to date
32Keep all software patches up to date
33Use encryption to secure connections using Remote
Desktop Web Connection
- Protection from TS spoofing
- SSL does not protect rdp traffic, (yet)
34Do not install Terminal Server on a Domain
Controller
35-- Enhanced Security Options --
36Consider Using a Firewall
37Use Restricted groups policy to manage the Remote
Desktops User Group at the domain or OU level
38Mer info
- Whitepapers
- Windows Server 2003 Terminal Server Security
- Published February 24. 2004
- Locking Down Windows Server 2003 Terminal Server
Sessions - Published July, 2003
39Consider Using Smart Cards for Strong
Authentication
40Consider Using a VPN tunnel to Secure Terminal
Services connections over the Internet
41Consider Using IPSec Policy to Secure Terminal
Server Communications over your network
42Slut ?