Remote Desktop SecurityRemote Desktop Security

Raghav Chawla, Jon UsseryRaghav Chawla, Jon Ussery

Group 20Group 20

What is Remote Desktop?What is Remote Desktop?

Remote administration softwareRemote administration software Ran on foreign host’s serverRan on foreign host’s server Displayed locallyDisplayed locally

MotivationMotivation

Very popular Very popular Increasingly mobile societyIncreasingly mobile society Need to access home/work PCsNeed to access home/work PCs Extremely vulnerableExtremely vulnerable Easy to exploit these vulnerabilitiesEasy to exploit these vulnerabilities Complete accessComplete access

How Does it Work?How Does it Work?

For Microsoft services:For Microsoft services: Terminal services allow user to access data Terminal services allow user to access data

and applications on a remote computerand applications on a remote computer Different than appstreaming, as Different than appstreaming, as

computations are processed on remote pccomputations are processed on remote pc

History (Microsoft software)History (Microsoft software)

Terminal services were introduced in Terminal services were introduced in Windows NT 4.0Windows NT 4.0

Vastly improved in Windows 2000Vastly improved in Windows 2000 Vista has new developments as wellVista has new developments as well

ClipboardClipboard AudioAudio

DifferencesDifferences

In client versions of Windows OS, In client versions of Windows OS, only one user can be logged in at a only one user can be logged in at a timetime

In the server version, concurrent In the server version, concurrent sessions are allowedsessions are allowed

Terminal Services provide for remote Terminal Services provide for remote software accesssoftware access

In ActionIn Action

Runs on port 3389Runs on port 3389 Includes ActiveX controlIncludes ActiveX control Winlogon.exe authenticates userWinlogon.exe authenticates user Keyboard and mouse inputs are transmitted via Keyboard and mouse inputs are transmitted via

TCP connectionTCP connection Virtual Channels Virtual Channels allow other devices to work allow other devices to work

(such as printers, audio, etc.)(such as printers, audio, etc.)

Some Software DistributionsSome Software Distributions

Microsoft Remote Desktop Microsoft Remote Desktop ConnectionConnection

RealVNCRealVNC TightVNCTightVNC Apple Remote Desktop (for Apple Apple Remote Desktop (for Apple

pc’s)pc’s) GoToMyPCGoToMyPC

Software ComparisonSoftware Comparison

The LabThe Lab

Hacking into remote desktopHacking into remote desktop Remotely Enabling remote desktopRemotely Enabling remote desktop Multiuser remote desktop hackMultiuser remote desktop hack Hacking through a firewallHacking through a firewall Security measuresSecurity measures

Hacking into Remote Hacking into Remote DesktopDesktop

Transferred WinVNC files on remote Transferred WinVNC files on remote pcpc

Used RegINI.exe to load data Used RegINI.exe to load data (password, socket connections) into (password, socket connections) into registryregistry

Installed VNC through command Installed VNC through command promptprompt

Enable Remote Desktop via Enable Remote Desktop via NetworkNetwork

Use Regedit to connect to the Use Regedit to connect to the Network registryNetwork registry

Find client machine on networkFind client machine on network

After a few registry edits, remote desktop After a few registry edits, remote desktop functionality will be availablefunctionality will be available

Multiuser Desktop HackMultiuser Desktop Hack

Boot Windows in safe modeBoot Windows in safe mode Changed terminal services settingsChanged terminal services settings Replaced termsrv.dll files with Replaced termsrv.dll files with

alternatealternate

Multiuser Hack (cont.)Multiuser Hack (cont.)

Changed some registry settingsChanged some registry settings

Finally, tweak Terminal Services settingsFinally, tweak Terminal Services settings

Hacking Through A FirewallHacking Through A Firewall

Useful if port 3389 is blockedUseful if port 3389 is blocked Used Putty to setup a tunnel for Used Putty to setup a tunnel for

accessing RDC Serveraccessing RDC Server

Security MeasuresSecurity Measures

Limit users who can log on remotelyLimit users who can log on remotely

Security Measures (cont.)Security Measures (cont.)

Set an account lockout policySet an account lockout policy

Security Measures (cont.)Security Measures (cont.)

Require passwords and at least 128-bit Require passwords and at least 128-bit encryptionencryption

Run - %SystemRoot%\system32\Run - %SystemRoot%\system32\gpedit.msc /sgpedit.msc /s

Security Measures (cont.)Security Measures (cont.)

Change the RDP port numberChange the RDP port number Edit registry as follows:Edit registry as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal

Server\WinStations\RDP-TcpServer\WinStations\RDP-Tcp

Other ToolsOther Tools

Loopback!Loopback!

Any Questions?Any Questions?