1.1. technet security summit 2004 terminal server security marcus murray
TRANSCRIPT
TechNet Security Summit 2004 1.
Terminal Server Security
Marcus Murray
TechNet Security Summit 2004 2.
Innehåll• Windows Server 2003 Terminal Services
• Utmaning säkerhetsmässigt
• Kända hot mot Terminal Server
• Nedlåsning av en Terminalserver
• Nätverksarkitektur för att säkra Access till TS
TechNet Security Summit 2004 3.
Windows Server 2003 Terminal Services
TechNet Security Summit 2004 4.
Benefits of Terminal ServerBenefit Description
Rapid, Centralized Deployment of Applications
Terminal Server is great for rapidly deploying Windows-based applications to computing devices across an enterprise—especially applications that are frequently updated, infrequently used, or hard to manage. When an application is managed on Terminal Server, and not on each device, administrators can be certain that users are running the latest version of the application.
Low-bandwidth Access to Data
Terminal Server considerably reduces the amount of network bandwidth required to access data remotely. Using Terminal Server to run an application over bandwidth-constrained connections, such as dial-up or shared WAN links, is very effective for remotely accessing and manipulating large amounts of data because only a screen view of the data is transmitted, rather than the data itself.
Windows Anywhere
Terminal Server helps users become more productive by enabling access to current applications on any device—including under-powered hardware and desktop computers not running Microsoft® Windows®. And because Terminal Server lets you use Windows anywhere, you can take advantage of extra processing capabilities from newer, lighter-weight devices such as the Pocket PC.
TechNet Security Summit 2004 5.
Client-Side Features• Remote Desktop Protocol (RDP) v 5.2• Full client included with Windows XP• Full (.MSI), MMC and Web (ActiveX®)
downloads• No separate Connection Manager • Automatic reconnects• Client resource redirection features• Resource redirection• Slow link performance optimizations
TechNet Security Summit 2004 6.
Client-Side Features (continued)
• Remote Desktop Web Connection
• Remote Desktops Administration Tool
TechNet Security Summit 2004 7.
Client-Side Features (continued)
• Specify Computer, User name, Password, and Domain
• Save settings
TechNet Security Summit 2004 8.
Client-Side Features (continued)
• From 256 color to True Color (24 bit)
• Resolution to 1600 x 1200
• Full screen capabilities
TechNet Security Summit 2004 9.
Client-Side Features (continued)
• Audio output• Windows key combos• Disk drives and printers (local
and network)• Serial devices• Smart card• Time Zone• Clipboard (+files)
TechNet Security Summit 2004 10.
Client-Side Features (continued)
• Launch entire desktop or specific application
TechNet Security Summit 2004 11.
Client-Side Features (continued)• Network and Performance
Improvements– Increased network bandwidth
savings over RDP 5.0–Remote “experience” turns off
wallpaper, visual styles, etc., depending on network connection
–Auto-reconnect–128-bit bidirectional encryption–Backward compatible with
RDP 5.0 and RDP 4.0
TechNet Security Summit 2004 12.
Server-Side Features
• Remote Desktop for Administration provides Console redirection—can now connect to console session
–“SERVERNAME /console” or “mstsc.exe /console”–Can establish two connections plus one console connection–Can use Remote Assistance to share a session between
administrators–At console, session is locked—shows user who connected to
console as user who locked the console
• Remote Desktops Administration Tool
TechNet Security Summit 2004 13.
Server-Side Features (continued)• Installed by default on all
Windows Server 2003 platforms, but not enabled
–Modify in System properties, Remote tab
–Can also enable/disable via Windows Management Instrumentation (WMI) or Windows Management Instrumentation Command (WMIC)
•RDToggle
TechNet Security Summit 2004 14.
Server-Side Features (continued)
• Terminal Server mode, formerly Terminal Server Application mode
–Can install Terminal Server in Add/Remove Programs or Manage Your Server
–Can also install during unattended installation
TechNet Security Summit 2004 15.
Server-Side Features (continued)• Security Features
–Remote Desktop Users Group
–Security Policy Editor
–128-Bit Encryption
–FIPS Compliance
–Software Restriction Policies
–License Server Security Group
–Remote Connection Permissions
–Smart Card support
TechNet Security Summit 2004 16.
Utmaning säkerhetsmässigt
• Användarna skall kunna exekvera kod direkt på en server
• Tillgänglighet från externa nätverk (internet)
TechNet Security Summit 2004 17.
Terminal Server ur en hackers perspektiv
• Hitta TS.– Om publikt publicerade -Sökbara via intenet
• Bryta sig in i TS– Password attack ex. TSGrinder– Password kan extraheras ur Rdp filer.
• Root– Hitta kommandotolk, accessa drivar, eskalera priv -
Lokala exploits
TechNet Security Summit 2004 18.
Söka efter Terminal servrar på Google
• /Tsweb/default.htm• Tsweb site:Se• /Rdp• “Remote Desktop Web Connection”• "Send logon information for this connection"
TechNet Security Summit 2004 19.
Extrahera lösenord ur RDP-filer med Cain
TechNet Security Summit 2004 20.
Securing a Terminal Server
• Step by step
TechNet Security Summit 2004 21.
Whitepapers:
• Windows Server 2003 Terminal Server Security– Published: February 24. 2004
• Locking Down Windows Server 2003 Terminal Server Sessions– Published: July, 2003
TechNet Security Summit 2004 22.
TS installation
TechNet Security Summit 2004 23.
During installation, choose the Full Security Option
TechNet Security Summit 2004 24.
Use Group Policy to lock down your terminal servers and client computers
• Whitepaper: • Locking Down Windows Server 2003 Terminal Server Sessions
TechNet Security Summit 2004 25.
Use the highest level of encryption your organization can support
• Low (56-bit)• Client Compatible• FIPS Compliant (TLS_RSA_WITH_3DES_EDE_CBC_SHA)
• High (128 bit)
TechNet Security Summit 2004 26.
Use the Remote Desktop Users group to grant access to end-users
TechNet Security Summit 2004 27.
Using Software Restriction Policies to Protect Against Unauthorized Software
TechNet Security Summit 2004 28.
Use Secure Configuration Settings for your RDP Connections
TechNet Security Summit 2004 29.
Enable the Internet Connection Firewall
TechNet Security Summit 2004 30.
Use strong passwords throughout your organization
TechNet Security Summit 2004 31.
Keep virus scanners up to date
TechNet Security Summit 2004 32.
Keep all software patches up to date
TechNet Security Summit 2004 33.
Use encryption to secure connections using Remote Desktop Web Connection
• Protection from TS spoofing• SSL does not protect rdp traffic, (yet)
TechNet Security Summit 2004 34.
Do not install Terminal Server on a Domain Controller
TechNet Security Summit 2004 35.
-- Enhanced Security Options --
TechNet Security Summit 2004 36.
Consider Using a Firewall
TechNet Security Summit 2004 37.
Use Restricted groups policy to manage the Remote Desktops User Group at the domain or OU level
TechNet Security Summit 2004 38.
Mer info:
• Whitepapers:– Windows Server 2003 Terminal Server Security
• Published: February 24. 2004
– Locking Down Windows Server 2003 Terminal Server Sessions
• Published: July, 2003
TechNet Security Summit 2004 39.
Consider Using Smart Cards for Strong Authentication
TechNet Security Summit 2004 40.
Consider Using a VPN tunnel to Secure Terminal Services connections over the Internet
TechNet Security Summit 2004 41.
Consider Using IPSec Policy to Secure Terminal Server Communications over your network
TechNet Security Summit 2004 42.
Slut