Managing Windows servers remotely has become
a standard with large networks. However, managing servers across an
unsecured WAN connection can be a security challenge.
The security involved with these remote
management solutions varies depending on the complexity and the
implementation of your organization’s network. Let’s examine some
of your options.
The Microsoft approach
Microsoft offers a native remote management
solution. Terminal Services through the Remote Desktop Protocol
(RDP) uses TCP port 3389.
RDP offers two excellent features:
Encryption: This uses an
RC4 cipher, a stream cipher using a 56- or 128-bit key.
Roaming disconnect: When
the network or a client failure unexpectedly terminates a user’s
session, it disconnects the user without logging off the
While both are noteworthy features, neither
tackles the central issue of how to securely control connections
from a remote IP address to a multitude of internal servers. The
complexity of the internal network can only compound the problem
with the RDP approach, and you often face a number of hurdles to
Most notable are the vulnerabilities associated
with RDP, Terminal Services, and remotely connecting to internal
servers that don’t have a public IP address. In addition, you must
allow remote connections (i.e., TCP 3389) through your security
layer from every IP address to your internal servers.
You could address these issues by running a
Terminal Services server, remotely connecting to that server, and
launching to other internal servers via that connection. However,
this doesn’t address vulnerabilities associated with the Microsoft
RDP implementation or connections to non-Microsoft servers.
In my opinion, the Microsoft approach isn’t a
viable solution for remote management. It has severe limitations
when it comes to dealing with other operating systems and managing
the security of inbound connections.
Get the TR Blog Roundup
Find out who’s offering the best advice, the quirkiest comments, and the most compelling life stories every week with TechRepublic’s Blog Roundup. Click here to automatically sign up to receive it every Wednesday.
Use tags to find blog posts about Windows and security.
The generic approach
Developed by AT&T Laboratories, Virtual
Network Computing (VNC) is a platform-independent approach. While
this is an excellent non-OS-specific solution, it does require
loading both client and server software and allowing several TCP
ports from any IP address to the servers you want to manage. In
addition, it doesn’t address how to remotely manage servers with
private IP addresses.
VNC is a good alternative, but its requirement
of loading client software on the remote machine might not always
be an option for your organization. You must also deal with the
hurdle of allowing multiple ports from any IP address to all of
The KVM over IP approach
Several leading vendors offer
keyboard/video/mouse (KVM) over IP solutions that incorporate
remote connectivity through a Web interface.
Raritan offers a KVM solution that allows you
to connect any server (through a USB or KVM connection) or network
device (through a serial connection) to its KVM appliance. This
integrated, secure digital KVM appliance combines out-of-band
control with BIOS-level KVM access via a Web browser.
This approach uses a standard Web connection
via SSL to connect to the remote KVM device, and it offers local
authentication or authentication via LDAP or RADIUS. This means you
can now monitor and authenticate remote connections to every server
or network device through one SSL-enabled Web interface.
Both the Microsoft approach and VNC offer some
benefits, but each solution also has its drawbacks. In my opinion,
Web-based KVM over IP is the leading solution.
Secure remote access via a standard Web browser
to a central point allows BIOS-level control of any attached device
or server. If secure remote and local management of your enterprise
is one of your organization’s New Year’s resolutions, then I
suggest investigating a KVM over IP solution today.
Worried about security issues? Who isn’t? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.