remote desktop web connection security for Bill Sanderson (or anyone else who might know) :)

[Mike]

Hi Bill,
I have a question that I'd appreciate your clarifying for me. As you know
from our newsgroup exchanges, I use remote desktop (daily). To be
specific, I use the remote desktop web connection to connect from my laptop
(wherever I may happen to be) to my winxp pro machine.

My question is security related. My xppro box runs behind a firewall router
(netgear rp614). I have it forwarding port 3389. Comment you made in
response to others indicated that you did not think using port 80 for http
was such a hot idea. So, I have forwarded port 80 thru my firewall to port
'xxxx'. Everything works great. And to make sure I'm explaining myself
clearly, to logon to my xppro box, i enter "http://myxp ip
address:xxxx/tsweb
and go from there. I do not run a software firewall
(either xp pro's or zone alarm) primarily because netgear advises against
it. My log on password is a highly secure password. Ok...so am I pretty
well protected?

The reason I ask is because I do not fully understand what I have gained
from moving my http listening from port 80 to port xxxx. I guess I'd need
to be a hacker to understand what a hacker tries to do to gain access to my
system...but I'm guessing they scan blocks of ip addresses looking for open
port 80. So...even if they had found my open port 80 before I forwarded it,
they'd still need to break my password. (right?????) But if that's so,
then wouldn't they merely need to scan other (perhaps higher numbered) ports
to accomplish
the same thing?

Secondly, (I appreciate your patience if you're still with me...your many
contributions in the newsgroup indicate you are very patient) I do not
fully grasp VPN/tunneling as it relates to remote desktop web connection.

Am I already doing this? I don't think so....since I didn't go thru the
process
of setting up a VPN connection. Do I need to? What would I gain?

Would appreciate any answers to my questions, and clarifications to the
areas I'm obviously fuzzy in.
Thanks.

 

[Nobody]

Hi Bill,
I have a question that I'd appreciate your clarifying for me. As you know
from our newsgroup exchanges, I use remote desktop (daily). To be
specific, I use the remote desktop web connection to connect from my laptop
(wherever I may happen to be) to my winxp pro machine.

My question is security related. My xppro box runs behind a firewall router
(netgear rp614). I have it forwarding port 3389. Comment you made in
response to others indicated that you did not think using port 80 for http
was such a hot idea. So, I have forwarded port 80 thru my firewall to port
'xxxx'. Everything works great. And to make sure I'm explaining myself
clearly, to logon to my xppro box, i enter "http://myxp ip
address:xxxx/tsweb
and go from there. I do not run a software firewall
(either xp pro's or zone alarm) primarily because netgear advises against
it. My log on password is a highly secure password. Ok...so am I pretty
well protected?

A potential problem with any terminal server or RDP enviroment is there are
utilites that can use either dictionary based or brute force methods of
gaining access. In either case unless you configure the account lockout
policies, it would only be a matter of time before someone could gain
access.

Stating your password is highly secure is relative to your opinion, I do not
know if your computer is a standalone machine or logs on to a domain
controller, but in either way, if there are any other logons permitted on
your machine, your security may only be as good as the passwords on those
other accounts.

 

[Mike]

Thanks for the response...
good point about the account lockout policies...I'll double check that.
With respect to the relatively secure password....I wasn't trying to
boast...just meant that it consists of a variety of alpha & numeric &
symbolic characters and will not easily be defeated by any dictionary or
brute force method.....
The XP pro machine allows no other log ons,...so there are no other
passwords involved.

Can you shed any light for me, on the idea of an unauthorized person even
finding the existence of my xp pro box, given the port forwarding info etc.
in my 1st post?

Thanks again!

 

[Nobody]

Thanks for the response...
good point about the account lockout policies...I'll double check that.
With respect to the relatively secure password....I wasn't trying to
boast...just meant that it consists of a variety of alpha & numeric &
symbolic characters and will not easily be defeated by any dictionary or
brute force method.....
The XP pro machine allows no other log ons,...so there are no other
passwords involved.

Can you shed any light for me, on the idea of an unauthorized person even
finding the existence of my xp pro box, given the port forwarding info etc.
in my 1st post?

Thanks again!

Mike,

Sorry about sounding a bit "bullish" in regards to your password, its just
that I have dealt with many clients who claim to have strong passwords but I
wind up showing them "different"

As for your original post, Your forwarding port 80 which is common for web
servers, so it doesn't matter what the internal port you are listening on.
Web requests are essentially unaware your computer is acutally listening on
a non standard port.

Its a trivial task to find such machines configured as yours with the remote
desktop web interface, any port scanner will detect your webserver and if
thats not enough, then search engines have a way with finding "hidden"
servers on the internet. Just do a search on google for the phrase "tsweb"
and you'll see quite a few links that connect you to someone's system.

 

[Jeffrey Randow (MVP)]

Note that having a tsweb link on a particular website does not
indicate anything.... Anyone can host the tsweb page but still not
have a RD server listening on the hosting IP address...

The problem I have with the web client is that we have
hundred/thousands of people running a web server who may or may not
keep it up to date...

Jeffrey Randow (Windows Net. & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Smart Display Support - http://www.smartdisplays.net
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone

 

[Mike]

sure appreciate the feedback...check me and see if I've got this straight.
(1)port forwarding port 80 is not offering me any additional security (if
so, I wonder why Bill Sanderson was recommending it???)

(2) using commonly available port scanners, virtually anyone can detect my
nnn.nnn.nnn.nnn:xxxx ip address

If this is all correct, then am I correct in thinking that only my
password/user name combination is preventing unauthorized log in? I thought
a hardware firewall (along with the port 80 forwarding) would keep scanners
from detecting the presence of my xppro box's existence. For example,
symantec & GRC both show ports 80 and 3389 as stealth...which if I
understand it correctly, mean they can't verify that those ports are in
existence for my ip address.

Appreciate your patient explanations....I just want to be as reasonably
secure as one can be and still use remote desktop web connection. Any
thoughts on tightening up security would be appreciated...I've never had a
problem...and want to keep it that way.

Mike

 

[Nobody]

sure appreciate the feedback...check me and see if I've got this straight.
(1)port forwarding port 80 is not offering me any additional security (if
so, I wonder why Bill Sanderson was recommending it???)

(2) using commonly available port scanners, virtually anyone can detect my
nnn.nnn.nnn.nnn:xxxx ip address

If this is all correct, then am I correct in thinking that only my
password/user name combination is preventing unauthorized log in? I thought
a hardware firewall (along with the port 80 forwarding) would keep scanners
from detecting the presence of my xppro box's existence. For example,
symantec & GRC both show ports 80 and 3389 as stealth...which if I
understand it correctly, mean they can't verify that those ports are in
existence for my ip address.

Appreciate your patient explanations....I just want to be as reasonably
secure as one can be and still use remote desktop web connection. Any
thoughts on tightening up security would be appreciated...I've never had a
problem...and want to keep it that way.

Mike

Maybe I misinterpreted your configuration, If I am correct, your running a
webserver on a nonstandard port e.g. 1234 and you have that forwarding to
your computer which is listening on port 80 for TSweb requests.

If the above is correct, then it would only show up if you were using a very
commonly known port or if someone were to perform a full port scan against
your computer. Typically those who do port scans for "open" machines either
scan for commonly known ports or set the port scanners to ping the target
first, if the target responds, then they would perform a condensed or full
scan.

In your instance, I would recommend using a random port above 1056 and a
port that is not commonly used by any services or trojans, use a strong
username and password, and make sure that only those accounts you wish to
use RDP are configured as allowed in XP.

Furthermore I would also recommend editing your group policy (if this a
standalone computer), and enable auditing of logon events and account
logons. Go into your event viewer and allocate more space for the log files.
By enabling auditing, you can check from time to time to see if anyone is
attempting access to your computer.

 

[Mike]

done & done! login auditing is enabled. My port was(is) a random port
above 1056. Further, I am the only account on the xppro box and i have a
"strong" password...though the user name would not be considered strong.

With this in place, my understanding of your response is that I should be
reasonably secure.
Not being a malicious hacker, I don't get why, if you're going to try to
find an open port, you wouldn't do a full port scan. Yes I have port
forwarding thru my hardware firewall to a random port above 1056, but why
wouldn't a malicious hacker just scan all ports? And when they found one,
begin an assault.

Is that the way it works? Is my protection really just an obscure port and
a strong password (plus login auditing etc.).

Thanks for helping me understand how to protect myself.

 

[Nobody]

done & done! login auditing is enabled. My port was(is) a random port
above 1056. Further, I am the only account on the xppro box and i have a
"strong" password...though the user name would not be considered strong.

With this in place, my understanding of your response is that I should be
reasonably secure.
Not being a malicious hacker, I don't get why, if you're going to try to
find an open port, you wouldn't do a full port scan. Yes I have port
forwarding thru my hardware firewall to a random port above 1056, but why
wouldn't a malicious hacker just scan all ports? And when they found one,
begin an assault.

Is that the way it works? Is my protection really just an obscure port and
a strong password (plus login auditing etc.).

Thanks for helping me understand how to protect myself.

Your setup as described will be as reasonably secure as you can currently
obtain.

The primary reason for not scanning all ports is time. It takes a great deal
of time to port scan all ports, as we are not just talking 65,535 ports.
TCP/IP can use either TCP or UDP depending on the type of service running. A
thorough scan would scan for both TCP and UDP services. This would mean a
person or "hacker" would have to scan 65,535 UDP and 65,535 TCP ports for a
total of 131,070 ports for a single computer.

To further illustrate, if a hacker could use a port scanner and
theorectically scan 100 ports per second, that would mean it would take 21
to 22 minutes to complete a scan on one computer. Typically a hacker looking
for a target isn't going to scan that fast as he/she would scan slower to
not trigger any Intrusion Dectection Systems in place. It would take days
or at least a week to do perform a slow enough scan to avoid being detected.

As simple as it may sound, yes your protection is just an obscure port and
strong password. But what you are really avoiding here are the masses of
script kiddies out there looking for a computer to crack for fun or to prove
to themselves they can do it. The only real danger at this point to your
system from the Internet would be a more determined "Cracker" who is out to
do real damage or use your computer as a "zombie".

 

[Mike]

well...I've learned a lot. Thanks! With log on auditing enabled, if I ever
see that someone is making attempts, I can always disappear with a different
port forwarding.