Windows Server 2000 and Terminal Server security issue

[Guest]

I have a setup where there are a Windows Server 2000 machine and a Terminal
Server in application mode and a user doing a remote access to the Terminal
Server from outside. Let say that the remote pc is infected with spyware,
adware, virus, worm, or any sort of infection is accessing to the Terminal
server, will the network be infected? If so, how should I approach this
situation?

 

[Steven L Umbach]

Viruses and worms will not propagate over RDP like they can using file and
print sharing. However if drive redirection is used and the user has write
access to folders on the TS he could possibly put malicious content onto
those folders knowingly or unknowingly. That does not mean that the TS will
be infected though it could be if an administrator of the TS executed such
content for some reason. Best practice would be to routinely scan TS for
malware.

Steve

 

[karl levinson, mvp]

Viruses and worms will not propagate over RDP like they can using file and
print sharing. However if drive redirection is used and the user has write
access to folders on the TS he could possibly put malicious content onto
those folders knowingly or unknowingly. That does not mean that the TS
will be infected though it could be if an administrator of the TS executed
such content for some reason.

Agreed. A virus/worm infection or compromise on a TS client could allow a
remote attacker to access the TS server and the network it's connected to,
as if the password was compromised or a client on your internal network was
infected and being remotely controlled. If these TS clients are on a
network you control, you can reduce the risk of being remote controlled by
using a firewall with strong outbound filtering [e.g. blocking clients from
going directly out to the Internet for IRC, DNS, SMTP, HTTP, SSH, Telnet,
etc.] and if possible use a forwarding DNS server of your own and a proxy
server or application proxying edge firewall that all clients are required
to use, to try to reduce the chance that covert control channels aren't
tunneled out through open ports.

You don't have much to worry about from adware and spyware in this
situation, those don't spread from computer to computer or grant attackers
remote access to the system.

Best practice would be to routinely scan TS for malware.

.... although this won't detect all compromises such as leaks of information
or other attacker actions that don't involve malware. I'd also try to make
sure that TS clients are running antivirus and are patched and firewalled,
even if it's only by having users click on or sign an acceptable use policy.
You could use a patch management solution like WSUS, which is free,
especially for for clients on an internal network or using VPN or remote
access that you control.

Or, for clients on an internal network or using VPN or remote access, it is
possible to use NAC Network Admission Control solution such as Cisco NAC, or
similar solutions from Enterasys, Juniper, Sygate, etc. An 802.1x switch
and a central RADIUS server is used to put clients temporarily into an
isolated subnet and then checked for patches. Cisco and other solutions
require you to purchase their own hardware. For clients using VPN, Windows
2003 server has a Quarantine Server feature that may do the same thing for
free.

If VPN is being used, it's typical to use the "split tunneling" feature so
that the VPN client severs all connections with other computers when the VPN
session is established. This greatly reduces the risk.