Windows Remote Access

Similar documents
FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Network Access Security. Lesson 10

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak CR V4.1

Security. TestOut Modules

Guidance Regarding Skype and Other P2P VoIP Solutions

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Capture Link Server V1.00

RemotelyAnywhere. Security Considerations

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Topics in Network Security

Building A Secure Microsoft Exchange Continuity Appliance

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

7.1. Remote Access Connection

Medical Device Security Health Group Digital Output

Locking down a Hitachi ID Suite server

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DR V2.0

Penetration Testing Report Client: Business Solutions June 15 th 2015

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

GFI White Paper PCI-DSS compliance and GFI Software products

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Rapid Vulnerability Assessment Report

Network Security Guidelines. e-governance

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Did you know your security solution can help with PCI compliance too?

GTS Software Pty Ltd. Remote Desktop Services

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Global Partner Management Notice

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

March

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 8 Desktop and Server OS Vulnerabilities

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

A Decision Maker s Guide to Securing an IT Infrastructure

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

UNCLASSIFIED CPA SECURITY CHARACTERISTIC REMOTE DESKTOP. Version 1.0. Crown Copyright 2011 All Rights Reserved

Thick Client Application Security

Intro to Firewalls. Summary

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak DryView 8150 Imager Release 1.0.

Security Considerations for DirectAccess Deployments. Whitepaper

Protecting Microsoft Internet Information Services Web Servers with ISA Server 2004

Activity 1: Scanning with Windows Defender

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

SonicWALL PCI 1.1 Implementation Guide

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

74% 96 Action Items. Compliance

Common Cyber Threats. Common cyber threats include:

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Achieving PCI-Compliance through Cyberoam

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

GoToMyPC Corporate Advanced Firewall Support Features

Microsoft Security Bulletin MS Critical

Security Advice for Instances in the HP Cloud

Protecting Your Organisation from Targeted Cyber Intrusion

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Medical Device Security Health Imaging Digital Capture. Security Assessment Report for the Kodak Medical Image Manager (MIM) Version 6.1.

How To Install Sedar On A Workstation

EAC Decision on Request for Interpretation (Operating System Configuration)

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

E-commerce Production Firewalls

Setting up VPN and Remote Desktop for Home Use

Domain 6.0: Network Security

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Endpoint Security VPN for Mac

CS5008: Internet Computing

Creating a VPN Using Windows 2003 Server and XP Professional

Compulink Advantage Online TM

IBM Managed Security Services Vulnerability Scanning:

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

INNOV-04 The SANS Top 20 Internet Security Vulnerabilities

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

How To Secure An Rsa Authentication Agent

Introduction of Intrusion Detection Systems

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Industrial Security for Process Automation

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Security White Paper The Goverlan Solution

Section 12 MUST BE COMPLETED BY: 4/22

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

MS Terminal Server Cracking

Windows Operating Systems. Basic Security

Steelcape Product Overview and Functional Description

Chapter 4 Firewall Protection and Content Filtering

Security. Technical article

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

COORDINATED THREAT CONTROL

Global Knowledge MEA Remote Labs. Remote Lab Access Procedure

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Microsoft Labs Online

Transcription:

Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that enables users to interface with another computer through a graphical interface. RDP is based on, and is an extension of, the T-120 family of protocol standards, which is a multichannel capable protocol allowing for separate virtual channels for carrying presentation data, serial device communication, licensing information, highly encrypted data (keyboard, mouse activity), etc. RDP supports multipoint (multiparty sessions) data delivery, allowing data from an application to be delivered in "real-time" to multiple parties without having to send the same data to each session individually (for example, Virtual Whiteboards). Thus, RDP is designed to support different types of network topologies and multiple LAN protocols. RDP listens on TCP port 3389 by default, and uses RSA Security's RC4 cipher, a stream cipher designed to efficiently encrypt small amounts of data to secure communications over networks. Beginning with Windows 2000, administrators can choose to encrypt data by using a 56 or 128-bit key. Updated versions of RDP include new functions and enhancements: Windows 2000: Terminal Services includes enhanced RDP 5.0. The Terminal Services Advanced Client (TSAC) also supports the RDP 5.0 feature set. While continuing to provide excellent performance over the LAN, RDP 5.0 also provides enhanced performance over low-speed connections. Windows XP: Uses RDP 5.1 for Remote Desktop Connection and for Remote Assistant. Windows XP also includes Remote Desktop Web Connection, which is an updated version of TSAC (an RDP client based on a Microsoft ActiveX control). Remote Desktop Web Connection supports RDP 5.1 and RDP 5.0. Starting from RDP 5.1, new features are supported including Smart Card authentication, keyboard hooking (directing special Windows key combinations), and sound, drive, port, and network printer redirection. RDP 5.1 also has improved performance over low-speed dial-up connections through reduced bandwidth. Windows Server 2003: Uses RDP 5.2 for Remote Desktop Connection and for Remote Assistant. Remote Desktop Web Connection supports RDP 5.2 and is backward compatible with RDP 5.1 and 5.0. Major enhancement of RDP 5.2 includes the support of secured remote desktop connections using TLS/SSL based authentication. http://support.microsoft.com/?scid=kb;en-us;186607&x=6&y=10 6Hhttp://msdn.microsoft.com/en-us/library/aa383015(VS.85).aspx Page 1

II. Risk of Remote Desktop in Universities Continuous advancements have been made to improve Remote Desktop security; however, universities still remain as a major target for exploiting Remote Desktop vulnerabilities: 1 Lack of security awareness Although today s user is more IT savvy, lack of security awareness is still one of the leading causes for RDP exploits. Remote access users must be made aware of their security responsibilities. Awareness training and formally documented policies and procedures can help inform remote access users on important security topics. Such training and policies should include best practices to adhere to when working outside of the office, firewall configuration and password requirements. 2 Local Administrative Right Most of the users are granted with local administrative right on their computers. With the administrative right, users have full control over the configuration and software installation of the computers. In some cases, best practice of configuration may have been performed on local computers of users by IT department. However, since the local administrative right resides with the users, configurations can be easily modified or reset. Users who are not aware of the risks with using RDP access will be more susceptible to information disclosure attacks and brute force attacks. 3 Use of 3 rd party software Users may use 3 rd party software readily available on the internet for remote desktop access such as EchoVNC, italc, rdesktop, RealVNC Free and TightVNC. There may be vulnerabilities present in these 3 rd party softwares which may be exploited by the attacker. For instance, vulnerability has been reported for TightVNC in March 2009, which can be potentially exploited by a malicious hacker to compromise a target computer. User awareness education and regularly update the version and security patch can reduce the adverse effect by the vulnerabilities. This can also be secured by using the highest level of encryption which encrypts the data transmission in both directions by using a 128-bit key. 5Hhttp://www.sans.org/reading_room/whitepapers/terminal/secure_remote_access_using_windows_terminal_services_20 03_1354 Page 2

II. Risk of Remote Desktop in Universities (cont d) 4 Un-patched Operating Systems Un-patched Operating Systems leave vulnerabilities exposed and compromises overall security within the system. Windows Remote Desktop, in particular, has had a history of related patches to address several major vulnerabilities. For example, Microsoft released a security patch (MS09-044) in August 2009 to improve the security of Windows Remote Desktop. The patch helped fix a heap-based buffer overflow problem in Remote Desktop Connection that allowed attackers to execute arbitrary code via unspecified parameters. Administrators should apply the latest patches as soon as possible to mitigate such risks. Patches should be tested on a test server first to avoid any problems or incompatibility issues with the new patch. 5 Decentralised PC administration Due to the large number of students and staff who require remote access to work off-campus, it is difficult for universities to centrally manage the computers requiring remote access. Furthermore, it is not feasible for the IT department to configure each computer for secure remote desktop connection. As a result, universities are susceptible to greater risks as remote access users may have weak configurations or may be unaware to the security risks when using RDP. Computers with weak configuration may be compromised, and used by attackers to perform further attack within the university network. Universities may consider limiting RDP access to only certain users (e.g. students for courses requiring remote access). Administrators can also consider restricting the range of IPs that can remotely connect to the server. This can be done by configuring the firewall to provide additional access control using user-based authentication or IP restrictions. Alternatively, server configuration can be hardened by using IPSec to filter IPs. 7Hhttp://www.sans.org/reading_room/whitepapers/terminal/secure_remote_access_using_windows_terminal_services_20 03_1354 Page 3

II. Risk of Remote Desktop in Universities (cont d) 6 External threats Based on the factors above, universities remain a prime target for external attackers to exploit Remote Desktop vulnerabilities. Below are some examples of attacks that can be performed on universities: Enumeration on server port Enumeration is the process of gathering information about a target system or network a hacker wants to compromise. Identifying active Terminal Server ports is generally the first step in an attack. One method is to use an internet search engine such as Google to locate the ActiveX authentication form in the default location TSWeb/default.htm. Changing these default parameters and removing these common text strings from your installation can easily hide your connection page from this type of search. Another common method is to do a port scan for TCP port 3389, which is the default port for RDP. Once an open port is located, the attacker can use their Terminal Server client to connect to the target IP and be prompted for login and password. Hackers can then perform a Brute Force attack and gain access to that Terminal Server. To mitigate this risk, the port number should be changed to a non-standard port for both the Remote Desktop Connection & Remote Desktop Web Connection. Connecting to the Terminal Server using other methods such as VPN, RAS or SSL will also prevent external attacks using this method. Password Guessing Attacks Password guessing is still the primary method for attacking Terminal Servers. Dictionary based password-cracking tools are available to guess passwords using brute force. It takes advantage of the fact that the Administrator account cannot be locked out for local logins and, therefore, can be cracked through unlimited attempts. This is all done through the encrypted channel, which may allow the attacker to go undetected by Intrusion Detection Systems. Important risk-mitigating controls include configuring low account lockout thresholds with manual reset, implementing complex passwords that are changed on a frequent basis, implementing a logon banner, disabling of shared accounts, and renaming the Administrator account. Connecting through a VPN or SSH tunnel, limiting access control by IP or other information, or using 2-factor authentication will add further protection against this threat. Local Privilege Escalation The interactive rights required for Terminal Server access allows the ability to run privilege escalation and grant the attacker Administrator equivalent privileges. Attackers are utilising the zero-day vulnerabilities to launch blended exploits. This type of vulnerability allows for an interactively logged in user (either at the physical host or using some remote-desktop type of network application) to elevate their privileges to higher-privileged accounts, typically Administrator or SYSTEM. The attack tools are freely available for download on the Internet and other methods use only the tools available in a session. Access control lists and software restriction policies must be carefully designed to protect against this threat. Disabling Active Desktop also prevents a few specific attacks. 8Hhttp://www.sans.org/reading_room/whitepapers/terminal/secure_remote_access_using_windows_terminal_services_20 03_1354 Page 4

III. Exploitation on Remote Desktop Vulnerabilities in Remote Desktop Connection Vulnerabilities have been discovered in the Microsoft Remote Desktop Connection which could allow an attacker to take complete control of an affected system. Exploitation occurs if a user uses Microsoft Remote Desktop Connection to connect to a malicious RDP server, or if a user visits a web page or opens a malicious e-mail attachment which is specifically crafted to take advantage of these vulnerabilities. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. A recent vulnerability (MS09-044) has been discovered in Aug 2009 in the Microsoft Remote Desktop Connection that could allow an attacker to take complete control of an affected system. Description of vulnerability The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted web site that exploits this vulnerability. Impact of vulnerability Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Affected RDP versions Microsoft Terminal Services Client ActiveX control running RDP 6.1 on Windows XP SP2, Vista SP1 or SP2, or Server 2008 Gold or SP2; or 5.2 or 6.1 on Windows XP SP3. Recommendation Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. 9Hhttp://www.msisac.org/advisories/2009/2009-052.cfm 10Hhttp://www.microsoft.com/technet/security/bulletin/ms09-044.mspx Page 5

IV. Hardening steps to secure Remote Desktop access. (Basic Security Recommendations) The following security recommendations or guidelines help secure your server: 1 Rename the Administrator Account Renaming the Administrator Account will help to prevent a brute force attack on the Administrator account. Most brute force attacks will use the account name Administrator. This is the default name and this account is not subject to account lockout. This configuration change is done by editing the Local Security Policy. 2 Change the default RDP port For the attack surface exposure of the common RDP port (TCP 3389), the RDP session can be configured to use a different port. The modification must be applied to both the terminal server itself and all of the TS clients. Modification of registry will be required to change the default of the terminal server, and modification of the Client Connection Manager will be required to alter the port for client side. Please refer to 0Hhttp://support.microsoft.com/kb/187623 for details of configuration. 3 Use the highest level of encryption Use the High encryption option which encrypts the data transmission in both directions by using a 128-bit key. Use this level when the Terminal Server runs in an environment that contains 128-bit clients. RDP traffic is encrypted using 128-bit encryption when connecting to Windows Server 2003 from a Windows XP client computer. By default, both the Web-based and the standalone remote desktop client send the encrypted RDP traffic over TCP port 3389. 4 Set Group Policy settings for the remote desktops By making end users members of the Remote Desktop Users group you grant these users the necessary privileges for connecting to Terminal Server. The Remote Desktop Users group allows the same access as the Users group with the additional ability to connect remotely. By using this group, you save administrative resources by not having to set up these rights for each user individually. By default, the permissions for a Terminal Server environment are set to provide maximum security while allowing users to run applications. Users can save files within their profile directory, but cannot delete, or modify certain files. 5 Restrict users to specific programs Software restriction policies provide administrators with a policy-driven mechanism to identify software programs running on computers in a domain and to control the ability of those programs to execute. You can use policies to block malicious scripts, to lock down a computer, or to prevent unwanted applications from running. 1Hhttp://technet.microsoft.com/en-us/library/cc264467.aspx 2Hhttp://download.microsoft.com/download/4/2/9/42995217-e85a-41e9-b530-375a10b800fa/TS_security.doc Page 6

V. Hardening steps to secure remote desktop access. (Enhanced Security Options) 1 Consider Using a Firewall For the network hosting the Terminal Server, it is best practice to use a firewall capable of stateful packet inspection. A firewall capable of stateful packet inspection is more secure because it keeps track of packet requests and closes inbound packet forwarding once the session is finished. This firewall can be based on either hardware or software, such as a server running Windows Server 2003 with the Internet Connection Firewall (ICF) or Microsoft s Internet Security and Acceleration (ISA) Server 2000. One advantage of using ISA is that it integrates with Microsoft Active Directory service and takes advantage of Windows technology. ISA can also be integrated with Terminal Server by providing and protecting users access to the Internet using an advanced proxy architecture. 2 Consider Using a VPN tunnel to Secure Terminal Services connections over the Internet For Terminal Server connections over the Internet, the more secure option is VPN. Although encryption is powerful there is a risk of a man in the middle attack because there is no authentication. A VPN tunnel (with L2TP) is more secure because it uses authentication as well as encryption over the internet. VPN tunnels work by encrypting and encapsulating data over the Internet. There are two tunnelling protocols that are used with VPN, these are PPTP and L2TP. Because PPTP does not provide authentication in the tunnel, it does not add any security to the Terminal Server connection which already provides encryption. The tunnelling protocol you should consider using is L2TP. 3 Consider Using IPSec Policy to Secure Terminal Server Communications The IPSec can be used to secure Terminal Server connections between computers over your network. IPSec secures and controls the transmission of IP packets. IPSec uses an industry-defined set of standards to verify, authenticate, and optionally encrypt data. Using IPSec provides mutual authentication between client and server ensures private, secure communications over Internet Protocol (IP) networks, integrity of the contents of IP packets protected by encrypting data, and protection against attacks provided. To enable IPSec protection for Terminal Services, create an IPSec filter list to match the Terminal Services packets, an IPSec policy to enforce IPSec protection, and then enable the policies -- the Client (respond-only) policy on the Terminal Services clients should be enabled. 3Hhttp://technet.microsoft.com/en-us/library/cc264467.aspx 4Hhttp://download.microsoft.com/download/4/2/9/42995217-e85a-41e9-b530-375a10b800fa/TS_security.doc Page 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information