Remote Access Issues

[Yimin Rong]

We have a machine for which we must allow Remote Access (various
legacy applications are used which are incompatible with VNC,
pcAnywhere, etc). It is also used in the office during the day. As
with most of these kinds of setups, external attackers are using
various means to try to log in as Administrator and compromise the
machine (and failing!).

I can deal with that, but what's annoying is that when the attacker
tries to make the connection during regular business hours, the local
user is popped up a message indicating whether she should be logged
off. If she isn't at the desk, she will be logged out. The login
screen will say one process is running, guessing the Administrator
login prompt (?).

Is there a way to fix this? For example a script when she logs in to
turn off remote access, and another script when she locks or logs off
to turn it on again? I'm just worried in cases where the machine might
be shut off without the script being invoked.

The event logs don't show the IP address, if it did I could maybe
block Remote Access to that IP, but then if the attackers are using
dynamic IPs, I may end up blocking legitimate users.

The legacy applications require Windows XP, so I can't upgrade to a
more secure O/S.

Any help or advice would be appreciated.

Regards,

Yimin

 

[John John MVP]

We have a machine for which we must allow Remote Access (various
legacy applications are used which are incompatible with VNC,
pcAnywhere, etc). It is also used in the office during the day. As
with most of these kinds of setups, external attackers are using
various means to try to log in as Administrator and compromise the
machine (and failing!).

I can deal with that, but what's annoying is that when the attacker
tries to make the connection during regular business hours, the local
user is popped up a message indicating whether she should be logged
off. If she isn't at the desk, she will be logged out. The login
screen will say one process is running, guessing the Administrator
login prompt (?).

Is there a way to fix this? For example a script when she logs in to
turn off remote access, and another script when she locks or logs off
to turn it on again? I'm just worried in cases where the machine might
be shut off without the script being invoked.

The event logs don't show the IP address, if it did I could maybe
block Remote Access to that IP, but then if the attackers are using
dynamic IPs, I may end up blocking legitimate users.

The legacy applications require Windows XP, so I can't upgrade to a
more secure O/S.

Any help or advice would be appreciated.

Regards,

Yimin

v
Something as simple as net stop or net start "remote access connection
manager" in a log off/log on script should take care of this.

Are your remote clients accessing the machine from a single location or
from different locations

John

 

[Yimin Rong]

Something as simple as net stop or net start "remote access connection
manager" in a log off/log on script should take care of this.

Are your remote clients accessing the machine from a single location or
from different locations

John

Would that handle the user locking the machine or going into
screensaver?

The remote clients are accessing the machine from a single location
under dynamic IP.

Regards,

Yimin

 

[John John MVP]

Would that handle the user locking the machine or going into
screensaver?

If the service is disabled when the user logs on then it doesn't matter
if the machine is locked or if the screensaver kicks in, the service
will still remain disabled because these events do not log off the user.

The remote clients are accessing the machine from a single location
under dynamic IP.

If you ask me it isn't very good news to have external attackers
constantly hammering at your machines trying to break in. With a simple
two location scenario I find that getting a pair of half decent business
class VPN/Firewall appliances and sticking one at each end takes care of
these problems, the machines are hidden behind the VPN/Firewall routing
appliance and the two appliances establish a secure tunnel between
themselves, it's pretty difficult for anybody else to even try to break
in these appliances when they are properly set up. To resolve the
dynamic IP problem you can subscribe to a commercial or free DNS service
like OpenDNS.

John

 

[John John MVP]

v
Something as simple as net stop or net start "remote access connection
manager" in a log off/log on script should take care of this.

PS.

Note that no "Remote Access Connection Manager" = no internet and no
email. Also note that this service will start manually when needed, and
that Windows NT systems (especially from Windows 2000 and beyond) are
network "creatures" and they seek networks when they are booted. If you
really want to kill the "Remote Access Connection Manager" you will have
to set it to disabled, which may not be an acceptable solution for your
problem.

John

 

[Yimin Rong]

PS.

Note that no "Remote Access Connection Manager" = no internet and no
email.  Also note that this service will start manually when needed, and
that Windows NT systems (especially from Windows 2000 and beyond) are
network "creatures" and they seek networks when they are booted.  If you
really want to kill the "Remote Access Connection Manager" you will have
to set it to disabled, which may not be an acceptable solution for your
problem.

John

Thank you. What I did was follow the advice under
http://www.mobydisk.com/techres/securing_remote_desktop.html + added
Administrator to "Deny logon through Terminal Services" + tightened up
the firewall a bit. Seems to have done the trick. No interruptions and
no related warnings in the event logs. Regards, Yimin

 

[John John MVP]

Thank you. What I did was follow the advice under
http://www.mobydisk.com/techres/securing_remote_desktop.html + added
Administrator to "Deny logon through Terminal Services" + tightened up
the firewall a bit. Seems to have done the trick. No interruptions and
no related warnings in the event logs. Regards, Yimin

Thanks for letting us know how you fixed it. For future reference
please note that Remote Access and Remote Desktop are not the same thing!

John