Wiki

Securing Windows Terminal Services

A guide to securing Windows Terminal Services. There are entire books dedicated to this topic, here we will cover some of the essential security steps.

Vulnerabilities in Terminal Services

What is Terminal Services ?

Terminal services (also known as Remote Desktop) is a fantastic tool for system administration as it allows most tasks that would otherwise require physical server access to be performed remotely (excluding hardware changes, of course). This is particularly useful with the ongoing trend towards more and more services being operated from dedicated servers and virtual private servers located in data centers.

Why is it vulnerable ?

Because of all the power and flexibility it offers its prone to malicious attack. Because windows systems rely on this type of administration and when windows boxes are connected directly to the Internet methods of protection are required. Systems are vulnerable from many points, these include:

Methods of protection

Now you know that there is a problem, here are some steps to minimise the risk and ensure security.

If you don't need it turn it off

Terminal services is a great tool, however if it's not needed you can turn it off:

To Enable or Disable terminal services.

  1. Click Start Then Control Panel and select the System Icon.
  2. Click the tab Remote.
  3. Under Remote Desktop, make sure the Allow users to connect remotely to this computer checkbox is unchecked or checked based on if you want to disable or enable the service.

Now turning it off is only useful if you don't want or need remote access or you want a isolated system.

Restrict who has access to Terminal Services

Restricting who has access to Terminal Services is a good starting point, methods include:

Windows Updates

A critical part of Windows system administration are Windows Updates. Updates normally are release on the second Tuesday of the month or Wednesday our time. There is a mailing list put out by Microsoft that you can find here Security bulletins.

Banners

Login banners give some basic security in the form of presenting a banner before a user will attempt to login to the system. This will not stop the more sophisticated hacker but it will often foil those accidentally attempt to login to the wrong system and those using older brute forcing tools against your terminal server.

To enable or disable the login banner:

Secure passwords

Secure passwords are always needed, The Biggest vulnerability by far with Terminal Services is weak passwords Another article here on our Wiki has good suggestions for password complexity and security Passwords section in Securing Remote Access via SSH and Server Security. Password guessing is the primary method for attacking Terminal Servers, so it is critical that you take steps to protect against this type of attack. Try making users passwords easy to remember, but hard to guess. Also inform your to never give out their password!

Example of attack methods

TS Grinder

TS Grinder is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a user name/password combination within a particular connection. Protecting against this type of attack is very difficult. The reason TS Grinder works is the administrator account has no lockout threshold.

There are several ways to combat TS grinder attacks:

Sumary

Terminal Services is a critical part of system administration, I know here we would be lost without it. If properly protected and setup it will be as secure as You make it!


See also:

References/External Links

Wiki: dedicated/securing_terminal_services (last edited 2009-03-09 13:39:29 by KeiranHolloway)