Securing Windows Terminal Services
A guide to securing Windows Terminal Services. There are entire books dedicated to this topic, here we will cover some of the essential security steps.
- Securing Windows Terminal Services
Vulnerabilities in Terminal Services
What is Terminal Services ?
Terminal services (also known as Remote Desktop) is a fantastic tool for system administration as it allows most tasks that would otherwise require physical server access to be performed remotely (excluding hardware changes, of course). This is particularly useful with the ongoing trend towards more and more services being operated from dedicated servers and virtual private servers located in data centers.
Why is it vulnerable ?
Because of all the power and flexibility it offers its prone to malicious attack. Because windows systems rely on this type of administration and when windows boxes are connected directly to the Internet methods of protection are required. Systems are vulnerable from many points, these include:
- Brute force attacks.
- Weak passwords.
- Social engineering techniques used to gather passwords.
- Operating system exploits.
Methods of protection
Now you know that there is a problem, here are some steps to minimise the risk and ensure security.
If you don't need it turn it off
Terminal services is a great tool, however if it's not needed you can turn it off:
To Enable or Disable terminal services.
- Click Start Then Control Panel and select the System Icon.
- Click the tab Remote.
- Under Remote Desktop, make sure the Allow users to connect remotely to this computer checkbox is unchecked or checked based on if you want to disable or enable the service.
Now turning it off is only useful if you don't want or need remote access or you want a isolated system.
Restrict who has access to Terminal Services
Restricting who has access to Terminal Services is a good starting point, methods include:
- Source based firewall restrictions are a great idea if you are connecting from a limited number of locations with static ip addresses.
- Windows has a built in firewall client that does a great job with source based restrictions however if you need to be able to connect from any location this might not work for you however the following is an alternative.
- A VPN is a great idea as it gives a good level of security as it creates a secure tunnel between the client computer and the server.
- There are many small, cheap and effective VPN appliances on the market that you can use to access your local network from remote locations with the peace of mind that its very secure, this eliminates the need to have terminal services facing a live interface.
- User Restriction
- By default terminal services is configured to only allow local administrators access to terminal services, Normally this works however if a user has been added to the "Remote Desktop" users group they will also have access, so closely audit this user group.
A critical part of Windows system administration are Windows Updates. Updates normally are release on the second Tuesday of the month or Wednesday our time. There is a mailing list put out by Microsoft that you can find here Security bulletins.
Login banners give some basic security in the form of presenting a banner before a user will attempt to login to the system. This will not stop the more sophisticated hacker but it will often foil those accidentally attempt to login to the wrong system and those using older brute forcing tools against your terminal server.
To enable or disable the login banner:
- Click Start/Settings/Control Panel.
- Double-click Administrative Tools / Local Security Settings / Local Policies / Security Options.
- Set Message text for users attempting to log on.
- Set Message title for users attempting to log on.
- Logoff/Logon to test.
Secure passwords are always needed, The Biggest vulnerability by far with Terminal Services is weak passwords Another article here on our Wiki has good suggestions for password complexity and security Passwords section in Securing Remote Access via SSH and Server Security. Password guessing is the primary method for attacking Terminal Servers, so it is critical that you take steps to protect against this type of attack. Try making users passwords easy to remember, but hard to guess. Also inform your to never give out their password!
Example of attack methods
TS Grinder is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a user name/password combination within a particular connection. Protecting against this type of attack is very difficult. The reason TS Grinder works is the administrator account has no lockout threshold.
There are several ways to combat TS grinder attacks:
- Complex passwords changed on a frequent basis
- A login banner.
- Renaming the Administrator account.
- Connecting through a VPN.
- Firewall limiting access control by IP or other information.
Terminal Services is a critical part of system administration, I know here we would be lost without it. If properly protected and setup it will be as secure as You make it!