General discussion

Locked

Choose a secure remote management approach

By debate ·
How do you remotely manage your organization's network? What tools do you use to manage critical devices? What measures have you taken to secure remote management? Share your comments about making sure your remote management approach is secure, as discussed in the Jan. 14 Security Solutions newsletter.

If you haven't subscribed to our free Security Solutions newsletter, sign up today! Click this link to subscribe automatically:
http://nl.com.com/MiniFormHandler?brand=techrepublic&list_id=e036

This conversation is currently closed to new comments.

11 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Remote Administration

by steve In reply to Choose a secure remote ma ...

I use Remote Desktop to remotely manage or 2003 servers. Although, the first thing I do is change the default port of 3389 to a more none public port.

The second choice is Remote Administrator 2.2 from famatech.com. Remote Administrator is a fast and easy way to troubleshoot mainly desktops but some of its features are great for server administration also.

Steve

Collapse -

Good idea!

by dryflies In reply to Remote Administration

Changing the port is a great idea. I use the default port right now but require the use of a VPN to get into our network. I am unfamiliar with how to change the default port for RDP. Can you detail how that is done?

Tom.

Collapse -

Why Change?

by crashz In reply to Good idea!

As I understand it, by using VPN to connect to your network, the RDP port is not open to the internet. I use this method to remotely manage several businesses. Am I missing something?

Collapse -

RE: Why Change?

by bwhitehill In reply to Why Change?

I have no idea why Mike Mullins didn't include this option.

If his true concern was "the central issue of how to securely control connections from a remote IP address to a multitude of internal servers" then he should have included the VPN option.

I remotely manage 2003 servers via L2TP/IPSEC VPN. Connect to the network via VPN and then access all internal servers. Port 3389 does not have to be open at the firewall... only L2TP/IPSec port (1701).

The only thing is you can't have is "BIOS-level control" which is apparently a big deal to Mike.

Collapse -

Misunderstanding?

by steve In reply to RE: Why Change?

I don?t think Mike was addressing the issue of remote administration outside of your network but rather from say, your desktop at work.

At lest that was my first impression of his article.

Collapse -

He understood the scope

by Mike Mullins In reply to Misunderstanding?

Actually, I was aiming at the remote WAN connection. However, a good solution would fit both inside and outside connections. Which brings up the question. Why didn't I promote VPNs to secure this traffic?

There's two reasons why I didn't include VPN:
1. You'd never want to VPN your internal desktop to server sessions. If your network is that full of mistrust, you work for a three letter agency.

2. What can I use to give me maximum access, regardless of the terminal (company or public kiosk) that I use for access and provide security for that connection?

If I can have bios level access using a secure and authenticated web connection. That frees me from being chained to carrying a company laptop everywhere I go.

Thoughts??

Mike Mullins
Security Solutions Columnist

Collapse -

Configure encryption levels

by steve In reply to He understood the scope

In addition to changing the default port I also configure the terminal server?s RDP-TCP connection to provide better protection.

1. Restrict the number of client sessions.
2. Set session time limits.
3. Configure encryption levels

Steve

Collapse -

How To:

by steve In reply to Good idea!

If you are using a VPN to access your network first and then using Remote Desktop, you really don?t need to change the port. But for additional security reasons I do.

How To:
1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server\WinStations\RDP-Tcp
2. Change the "PortNumber" Dword value to whatever open port you like then reboot.
3. Using Windows Server 2003 RDP 5.2 client go threw the standard steps of making and saving the connection to say, you?re desktop.
4. Right click on your saved .RDP file and open it with notepad.
5. Insert this line ?server port:i:1234? under the ?shell working directory:s line.
6. Now replace ?1234? with the port number you put into your registry.
7. Save your changes and give it a try.

Please try this in a test environment first. I did run into Server 2003 not liking a few ports for RDP.

I consider this method the same as renaming your local administrator account. It?s just another level of security.

Sample RDP file viewed in notepad:

screen mode id:i:2
desktopwidth:i:1024
desktopheight:i:768
session bpp:i:16
winposstr:s:0,1,112,138,912,738
auto connect:i:0
full address:s:68.11.84.150
keyboardhook:i:2
audiomode:i:1
redirectdrives:i:0
redirectprinters:i:0
redirectcomports:i:0
redirectsmartcards:i:1
displayconnectionbar:i:1
autoreconnection enabled:i:1
username:s:xadmin
domain:s:notacz.com
alternate shell:s:
shell working directory:s:
server port:i:1234
disable wallpaper:i:1
disable full window drag:i:1
disable menu anims:i:1
disable themes:i:1
disable cursor setting:i:0
bitmapcachepersistenable:i:1

Collapse -

Excellent solutions!!

by Mike Mullins In reply to Choose a secure remote ma ...

I really like the idea of changing the default rdp ports and adding vpn.

Mike Mullins

Collapse -

Remote Management

by litzelmh In reply to Choose a secure remote ma ...

We use Remote Desktop to manage our 2000 and 2003 servers. It works well both in house and from home as there are only a few people allowed to do so. Then we have not incurred any addtional cost for remote management.

Back to Security Forum
11 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums