Terminal Server Security - PowerPoint PPT Presentation
1 / 42
Title:
Terminal Server Security
Description:
Windows Anywhere ... Remote 'experience' turns off wallpaper, visual styles, etc., depending on network connection ... on all Windows Server 2003 platforms, ... – PowerPoint PPT presentation
Number of Views:34
Avg rating:3.0/5.0
Title: Terminal Server Security
1
Terminal Server Security
- Marcus Murray
2
Innehåll
- Windows Server 2003 Terminal Services
- Utmaning säkerhetsmässigt
- Kända hot mot Terminal Server
- Nedlåsning av en Terminalserver
- Nätverksarkitektur för att säkra Access till TS
3
Windows Server 2003 Terminal Services
4
Benefits of Terminal Server
5
Client-Side Features
- Remote Desktop Protocol (RDP) v 5.2
- Full client included with Windows XP
- Full (.MSI), MMC and Web (ActiveX) downloads
- No separate Connection Manager
- Automatic reconnects
- Client resource redirection features
- Resource redirection
- Slow link performance optimizations
6
Client-Side Features (continued)
- Remote Desktop Web Connection
- Remote Desktops Administration Tool
7
Client-Side Features (continued)
- Specify Computer, User name, Password, and Domain
- Save settings
8
Client-Side Features (continued)
- From 256 color to True Color (24 bit)
- Resolution to 1600 x 1200
- Full screen capabilities
9
Client-Side Features (continued)
- Audio output
- Windows key combos
- Disk drives and printers (local and network)
- Serial devices
- Smart card
- Time Zone
- Clipboard (files)
10
Client-Side Features (continued)
- Launch entire desktop or specific application
11
Client-Side Features (continued)
- Network and Performance Improvements
- Increased network bandwidth savings over RDP 5.0
- Remote experience turns off wallpaper, visual
styles, etc., depending on network connection - Auto-reconnect
- 128-bit bidirectional encryption
- Backward compatible with RDP 5.0 and RDP 4.0
12
Server-Side Features
- Remote Desktop for Administration provides
Console redirectioncan now connect to console
session - SERVERNAME /console or mstsc.exe /console
- Can establish two connections plus one console
connection - Can use Remote Assistance to share a session
between administrators - At console, session is lockedshows user who
connected to console as user who locked the
console - Remote Desktops Administration Tool
13
Server-Side Features (continued)
- Installed by default on all Windows Server 2003
platforms, but not enabled - Modify in System properties, Remote tab
- Can also enable/disable via Windows Management
Instrumentation (WMI) or Windows Management
Instrumentation Command (WMIC) - RDToggle
14
Server-Side Features (continued)
- Terminal Server mode, formerly Terminal Server
Application mode - Can install Terminal Server in Add/Remove
Programs or Manage Your Server - Can also install during unattended installation
15
Server-Side Features (continued)
- Security Features
- Remote Desktop Users Group
- Security Policy Editor
- 128-Bit Encryption
- FIPS Compliance
- Software Restriction Policies
- License Server Security Group
- Remote Connection Permissions
- Smart Card support
16
Utmaning säkerhetsmässigt
- Användarna skall kunna exekvera kod direkt på en
server - Tillgänglighet från externa nätverk (internet)
17
Terminal Server ur en hackers perspektiv
- Hitta TS.
- Om publikt publicerade -Sökbara via intenet
- Bryta sig in i TS
- Password attack ex. TSGrinder
- Password kan extraheras ur Rdp filer.
- Root
- Hitta kommandotolk, accessa drivar, eskalera priv
- Lokala exploits
18
Söka efter Terminal servrar på Google
- /Tsweb/default.htm
- Tsweb siteSe
- /Rdp
- Remote Desktop Web Connection
- "Send logon information for this connection"
19
Extrahera lösenord ur RDP-filer med Cain
20
Securing a Terminal Server
- Step by step
21
Whitepapers
- Windows Server 2003 Terminal Server Security
- Published February 24. 2004
- Locking Down Windows Server 2003 Terminal Server
Sessions - Published July, 2003
22
TS installation
23
During installation, choose the Full Security
Option
24
Use Group Policy to lock down your terminal
servers and client computers
- Whitepaper
- Locking Down Windows Server 2003 Terminal Server
Sessions
25
Use the highest level of encryption your
organization can support
- Low (56-bit)
- Client Compatible
- FIPS Compliant (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
- High (128 bit)
26
Use the Remote Desktop Users group to grant
access to end-users
27
Using Software Restriction Policies to Protect
Against Unauthorized Software
28
Use Secure Configuration Settings for your RDP
Connections
29
Enable the Internet Connection Firewall
30
Use strong passwords throughout your organization
31
Keep virus scanners up to date
32
Keep all software patches up to date
33
Use encryption to secure connections using Remote
Desktop Web Connection
- Protection from TS spoofing
- SSL does not protect rdp traffic, (yet)
34
Do not install Terminal Server on a Domain
Controller
35
-- Enhanced Security Options --
36
Consider Using a Firewall
37
Use Restricted groups policy to manage the Remote
Desktops User Group at the domain or OU level
38
Mer info
- Whitepapers
- Windows Server 2003 Terminal Server Security
- Published February 24. 2004
- Locking Down Windows Server 2003 Terminal Server
Sessions - Published July, 2003
39
Consider Using Smart Cards for Strong
Authentication
40
Consider Using a VPN tunnel to Secure Terminal
Services connections over the Internet
41
Consider Using IPSec Policy to Secure Terminal
Server Communications over your network
42
Slut ?
