Secure Remote Desktop

[-1]

I'd like to connect to my home Vista machine from my work using remote
desktop. However, I'm quite concerned security and being able to access all
my personal files using just a password (even if it is a complex one).

How can I lock down remote desktop so that it is as close to being 100% hack
proof as humanly possible?

Thank you

 

[Andrew McLaren]

I'd like to connect to my home Vista machine from my work using remote

desktop. However, I'm quite concerned security and being able to access
all my personal files using just a password (even if it is a complex one).

How can I lock down remote desktop so that it is as close to being 100%
hack proof as humanly possible?

Alan Jarvi has put togther some good info on configuring and securing RDP,
here:
http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html

Some of Alan's XP info is also useful for Vista:
http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html

I have RDP'ed into my home machine from work for a few years now. The most
important issue I have found is just making sure my Internet Router at home
is well-secured. I have port forwarding enabled in the router, so I RDP to
my public IP address, and the router forwards the traffic to my desktop
machine (based on the RDP Port number). As a security measure - possibly
excessive, but like you I'm paranoid - I changed the RDP Port from 3389 to
another number. The router emails me the firewall logs, and I occasionally
grep them for port activity on my customised RDP port. Just to make sure
nothing untoward has happened.

So far, I don't think I've been compromised ... or if they have, they're
beeing very discreet about it

You can get some background info on RDP client security at the Terminal
Services Team blog:
http://blogs.msdn.com/ts/archive/tags/TS+Client+Upgrade/default.aspx

Hope it helps,

 

[noaim]

also a solution for remoting your home computer which this is a pricy
solution but pretty secure



is buying a hardware vpn router setting up a vpn and using a software such
as Symantec pcanywere this is probably the most secure way to do it.

 

[-1]

Thanks for the links, they were a good read and worth implementing.

For work, I have a token which displays a 9 digit number that changes every
60 seconds. During the login process on a remote desktop session, I need to
enter the current number on the token to successfully login. This number is
only valid for 60 seconds before it expires.

Is there any kind of soft token that can be installed on my home and office
machine that would mirror this hardware token?

 

[noaim]

that's a expensive technology and I don't believe they offer a hardware
version of this. Personally speaking I think u would be perfectly fine
with setting up a vpn at home.

Thanks for the links, they were a good read and worth implementing.

For work, I have a token which displays a 9 digit number that changes
every 60 seconds. During the login process on a remote desktop session, I
need to enter the current number on the token to successfully login. This
number is only valid for 60 seconds before it expires.

Is there any kind of soft token that can be installed on my home and
office machine that would mirror this hardware token?

 

[-1]

If I understand VPN correctly, it is a tunnel that prevents people from
viewing the information that is encrypted within the tunnel.

The weakenss with this method is at the ends of the tunnel which are
protected by username/password.

That's where my concern is that someone could discover my server and brute
force a u/p. I know the article on one of the other threads had some
suggestions on securing this, but if I could find a 2 factor solution, that
would give me peace of mind.

that's a expensive technology and I don't believe they offer a hardware
version of this. Personally speaking I think u would be perfectly fine
with setting up a vpn at home.

 

[Lang Murphy]

Alan Jarvi has put togther some good info on configuring and securing RDP,
here:

http://theillustratednetwork.mvps.org/RemoteDesktop/RDP6ConfigRecommendations.html

Some of Alan's XP info is also useful for Vista:

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html

I have RDP'ed into my home machine from work for a few years now. The most
important issue I have found is just making sure my Internet Router at
home is well-secured. I have port forwarding enabled in the router, so I
RDP to my public IP address, and the router forwards the traffic to my
desktop machine (based on the RDP Port number). As a security measure -
possibly excessive, but like you I'm paranoid - I changed the RDP Port
from 3389 to another number. The router emails me the firewall logs, and I
occasionally grep them for port activity on my customised RDP port. Just
to make sure nothing untoward has happened.

So far, I don't think I've been compromised ... or if they have, they're
beeing very discreet about it

You can get some background info on RDP client security at the Terminal
Services Team blog:
http://blogs.msdn.com/ts/archive/tags/TS+Client+Upgrade/default.aspx

Hope it helps,

Andrew,

Thanks for the links... good stuff.

Lang

 

[noaim]

well I have been running a hardware vpn for about 2 years now and haven't
had any trouble I even have a name service so if my ip changes I can still
access it however I do change the password on regular occasions just to be
safe. I guess in retrospect it really depends on what type of material your
trying to protect. Keep in mind that thousands of businesses have vpn's set
up with multiple accounts accessing them and that it isn't often that people
actually get there accounts hacked. I'm not saying its a perfect solution
because a hacker with a ton of knowledge can break into about anything but
its definitely pretty secure.

 

[Andrew McLaren]

If I understand VPN correctly, it is a tunnel that prevents people from
viewing the information that is encrypted within the tunnel.
The weakenss with this method is at the ends of the tunnel which are
protected by username/password.

You can use "defence in depth": there are many layers at which you can add
protection, besides passwords. For example, you can limit inbound
connections to those originating at certain IP addresses. If your workplace
has a single outbound proxy server IP address (or a limited set of outbound
proxy addresses), you could define an inbound filter rule on your home
router. This basically tells the router "don't accept *any* incoming
connections, unless they come from these specific IP addresses". Then,
unless the hacker is actually located inside your corporate network, they
won't get the chance to try entering any password - let alone, brute-forcing
it.



There's a matching loss of flexibility - it means you can't VPN in from
hotel rooms etc. But if you want to be secure, there's usually a trade-off
somewhere.



Even basic home routers have inbound filter rules these days, so you can get
quite creative.

That's where my concern is that someone could discover my server and brute
force a u/p.

Good choice of password is your best defence against brute force.
Internally, Windows can handle passwords up to 127 chars in length.
Unfortunately, some Windows dialogue boxes truncated the password at 34
chars - I'm not sure whether this was fixed in Vista or not (I suspect it
has). But even 34 chars allows a high degree of entropy. The secret is to
use a "pass phrase" rather than a password. So for example "I saw 27 leaping
buffoons today!". Phrases like these are eas to remeber; almost impossible
to guess; can include numerals and punctuation chars for extra complexity;
and will take several million years to brute-force (this phrase is
particularly easy to remember, because there are so many leaping buffoons
around).



You can also set the lockout on failed password attempts in Windows. So
after say, 3 or 8 or or 15 failed attempts, the account is locked out for a
specified period - 5 minutes, 24 hours, 1 week etc. This is debated,
somewhat: on the one hand, it absolutely prevents brute force attacks. On
the other hand, it allows a Denial-of-Service attack - if someone wants to
prevent you reaching your data, they just try a few fake passwords and lock
you out of your account. Anyway just got to Control Panel, Administrative
Tools, Local Security and look under the Account Security settings.

I know the article on one of the other threads had some suggestions on
securing this, but if I could find a 2 factor solution, that would give me
peace of mind.

2 Factor authentication is very secure; but you are looking at a
considerable jump in cost. Most solutions are oriented towards corporate
networks; ie, the home user VPNs in to corp-net, rather than the other way
around, a corporate user VPNs back to their home PC. Being corporate
products, they are priced accordingly.



To use 2 factor authentication for your home PC, you'll need some kind of
server process to recognise and handle the authentication - either a server
running on your home network, like a IAS or RADIUS Server; or a hardware
router with built-in support for RADIUS or similar authentication. There
might be software agents which can run on your home PC itself ... but I
don't know of any such products (doesn't mean they don't exist; just that I
don't know of any). If you're shopping for solutions, avoid any which talk
about replacing the Windows "GINA" ("Graphical identification and
authentication") - the GINA architecture was radically changed in Windows
Vista; and password software designed for Windows XP or Windows 2003 almost
certainly won't run on Vista if the GINA is involved.



In the past I have worked with products from RSA and Gemplus, for inbound
corporate VPNs - they are both very high quality vendors. They might have
solutions for home users, too ... it's a place to start, anyway.



Other folks might have extra info - hope this helps a bit.

 

[Jane C]

"I saw 27 leaping buffoons today!"

And most of them are posting here........ ;-)

Sorry, couldn't resist <vbeg>

 

[-1]

Thanks Andrew for such a detailed post. My router is very basic but I do
use Sygate firewall which does have mac address and ip filtering. That
should certainly lock down the connection to my pc.

When I went to look for an updated firewall from Sygate, they have been
bought out by Symmantec and their firewall has been incorporated into a
suite of products.

Would you know of a new standalone firewall that offers IP and Mac filtering
and is Vista compatible.

 

[Andrew McLaren]

And most of them are posting here........ ;-)

<vbg!>

How right you are.

 

[Andrew McLaren]

Thanks Andrew for such a detailed post. My router is very basic but I do

use Sygate firewall which does have mac address and ip filtering. That
should certainly lock down the connection to my pc.

When I went to look for an updated firewall from Sygate, they have been
bought out by Symmantec and their firewall has been incorporated into a
suite of products.

Would you know of a new standalone firewall that offers IP and Mac
filtering and is Vista compatible.

Well ... it depends

If you want a firewall that runs on your desktop PC at home, the Windows
Firewall built in to Vista is quite good. You can create custom filters
based on IP Address. The main trick to any sophisticated filtering with
Windows Firewall is that you need to go to Administrative Tools, and run
"Windows Firewall with Advanced Security". This opens a Firewall management
console, where you have complete control over the firewall's configuration.
Whereas, if you go to the Windows Firewall applet in Control Panel, you get
a simplified configuration interface, where you can configure only basic
rules. For most users, this is all they need; so it is right and proper that
the complexity be hidden away. But you may hear some replies saying "The
Windows Firewall is crap, use ZoneAlarm" or whatever. I suspect this is
usually becuase the respondents haven't explored the more full-featured
Windows Firewall management console. It offers everything you need. I don't
believe there have been any known compromises of the Windows Firewall, to
date (Zone Alarm *is* good, but why install software you don't need? that's
a security risk in itself, increases your attack surface)

At the very high "Data Centre" end of the spectrum, for example, the
firewall in Microsoft ISA Server ("Internet Security and Acceleration") is
rock-solid; ISA gives many hardware firewalls a run for their money. This
confirms that Microsoft can, in fact, write good firewall software!

I have Windows Firewall turn ON on my Vista PCs. But my main line of defence
against attacks from the Internet starts at the router. I don't want these
clowns even getting onto my home LAN, so that they come up against the
firewall on the PC. Stop them at the socket on the wall. So if you are
interested in spending money to get better security, I'd start by looking at
a recent firewall router with strong firewall features. There are a
multitude of options - Netgear, Dlink, SMC, Billion are all good names,
along with others too. Just as one example among many, the D-Link DIR-330:
http://www.dlink.com/products/?sec=1&pid=564
This has a VPN facility so you can amongst other things, VPN into your home
router.

FWIW I've run a D-Link router (different model) for > 12 months, and I'm
very happy with it. It's been great. Billion, SMC, Netgear et al, are also
excellent.

Filtering on MAC address is only useful to protect a machine against threats
on the same subnet. It does not protect you from attacks from the Internet.
When a TCP/IP packet passes across a router, it loses its original MAC
address informamtion, and gets the address of the router instead. But, the
IP adress always stays the same. So IP Filtering is much more useful (and
important) than MAC address filtering ... unless there's a user on your home
LAN you don't trust

Hope this helps,

 

[-1]

Filtering on MAC address is only useful to protect a machine against
threats
on the same subnet. It does not protect you from attacks from the
Internet. When a TCP/IP packet passes across a router, it loses its
original MAC address informamtion, and gets the address of the router
instead. But, the IP adress always stays the same. So IP Filtering is much
more useful (and important) than MAC address filtering ... unless there's
a user on your home LAN you don't trust

Let's say you have a router and several workstations each with a software
firewall that blocks all traffic except those workstations whose MAC
addresses are in an approved ACL (Access control list).

If someone was able to hack past the router, would that not make them now
local to the intranet and hence MAC filtering become a valid method of
preventing their access to the workstations on the intranet?

 

[Andrew McLaren]

If someone was able to hack past the router, would that not make them now

local to the intranet and hence MAC filtering become a valid method of
preventing their access to the workstations on the intranet?

A frame's MAC address is only meaningful for the current Ethernet segment
(or in TCP/IP terms, the subnet). When a frame passes from one Ethernet
segment to another, or to another MAC-layer medium, its MAC address changes.
MAC addresses are just not a good way to identify packets that have
travelled a long distance.

If someone hacks past the router, their frames will now have the MAC address
of the router's LAN interface. If you exclude traffic with the MAC address
of the router, you'd be blocking all incoming traffic from the Internet (ie
you might as well switch off the router and cancel your broadband
subscription!).

In a corporate situation, you might want to exclude users who happen to be
on the same Ethernet switch, on the LAN; eg you might want to block access
to the payroll machine by front-office clerk's machines. MAC adress
filtering is useful in these situations. On your home network ... well, it
would depend how much you trust your family and/or flatmates. Possibly, not
very much But MAC address filtering will not give you any useful
protection from attacks coming in from the Internet, because *all* traffic,
good and bad, from the Internet, will have the local MAC address of the
router.

I guess, in theory, you may be able to define a rule that blocks any inbound
sessions which originate from the MAC address of the router, on the
assumption that no-one will be connecting to your machine from outside. But
your original goal was to RDP into your home machine from work; these RDP
frames will have the MAC address of the router, on the segment between the
router and your home PC. So such a rule would kill RDP.

 

[-1]

I've taken your suggestions to heart and setup a workstation with remote
desktop and added all the suggestions you gave.

In one of the articles I read, it suggested to check the event viewer logs
to look for failed password attempts. As a test, I did enter the password
to my remote desktop incorrectly and then looked in event viewer, but did
not see anything in there. Would you know what tab it should be in?....I
did of course check all the tabs.

 

[Andrew McLaren]

I've taken your suggestions to heart and setup a workstation with remote
In one of the articles I read, it suggested to check the event viewer logs
to look for failed password attempts. As a test, I did enter the password
to my remote desktop incorrectly and then looked in event viewer, but did
not see anything in there. Would you know what tab it should be in?....I
did of course check all the tabs.

Did you enable Auditing, first? You need to turn on Audting. There's info in
Alan Jarvi's XP article -

http://theillustratednetwork.mvps.org/RemoteDesktop/RemoteDesktopSetupandTroubleshooting.html

See the section entitled "Logging Remote Desktop connection information".
That article was written for XP but generally, the same info applies to
Vista.

 

[-1]

Thanks Andrew....I've got auditing enabled. It's quite an eye opener to see
all the events that take place in the background. I see that no one has
tried my user id to log onto the pc, but there is an anonymous logon that
did concern me. Have you seen this before (listed below). This is the only
anon logon, but there are network, local and system events in the audit.

There are lots of connections via advapi. A search for this says it is a
windows process but others say that it can be a virus, although an up to
date Macafee on my workstation that does recognize this as a virus.

I was also wondering if you have any documentation on setting up Remote
Desktop via VPN? Although the pc that I remote into is in a secure location
and I have no worries, you can't be so sure about the network where I use my
laptop from which I start the remote desktop. I take it a VPN connection
would secure me against any potential sniffers on the network.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 7/27/2007
Time: 8:19:31 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: james
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0xE93E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name:
Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

[-1]

There are lots of connections via advapi. A search for this says it is a
windows process but others say that it can be a virus, although an up to
date Macafee on my workstation that does recognize this as a virus.

Sorry, meant does not recognize this as a virus.

 

[Andrew McLaren]

Thanks Andrew....I've got auditing enabled. It's quite an eye opener to
see all the events that take place in the background. I see that no one
has tried my user id to log onto the pc, but there is an anonymous logon
that did concern me. Have you seen this before (listed below). This is
the only anon logon, but there are network, local and system events in the
audit.
There are lots of connections via advapi. A search for this says it is a

Yes. Windows NT (inluding under this heading NT, 2000, XP, Server 2003 and
Vista) is designed to be a platform for distributed processing. Unlike the
classical single-user, non-networked Windows 3.1 PC, or a minicomputer from
the 1980s, machines running current versions of Windows communicate with
other Windows machines, and with other network devices (such as UPnP
routers), all the time. This is normal behaviour; it's what makes Windows
good as a connected, network-aware platform. The downside is that a
security-conscious user will want to know what all these mysterious packets
are, flying across their network.

There are 2 ways to tackle this problem:

1) for the IT specialist working in a corporate IT department, Microsoft now
documents most of the "phone home" and peer-to-peer protocols. You can track
down details via the TechNet Security portal:
http://www.microsoft.com/technet/security/default.mspx
The "Windows Vista Security Guide" contains nerly everything you would want
to know about securing Vista:
http://www.microsoft.com/downloads/...ED-7F35-4E72-BFB5-B84A526C1565&displaylang=en


However, keeping up-to-date with network security is almost a full-time job.
And security poorly executed, can be as bad or worse than no security at
all. So ...

2) for the home user, and/or folks who are not full-time CISSP-certified
network engineers, you can "outsource" all the complexity of security to
trusted experts. For Windows, the best tool here is the Microsoft Baseline
Security Analyser:
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

MBSA is a free download. MBSA Version 2.1 is Vista-compatible. MBSA looks
over the configuration of your PC and highlights possible security
vulnerabilities. It does this using an XML config file which is regularly
updated by Microsoft. So as new vulnerabilities are discovered "in the
wild", MBSA becomes aware of them, and will check for these new
vulnerabilities on your PC.

MBSA is closley allied to Shavlik NetChk (actually, Microsoft OEM'ed a
version of NetChk from Shavlik, to create MBSA). You can get a free verison
of the Shavlik tool, which is similar to MBSA but analyses more products; or
you can purchase the full Shavlik NetChk tool, which would give you an
industrial strenth security analysis of your network (see
http://www.shavlik.com/products/netchk-limited.aspx). The free NetChk
Limited is suitable for home users; the full NetChk would probably be
extreme overkill.

The other tools you need to run on a regular basis are an antivirus (which
you already have) and a spyware tool, such as Windows Defender or Lavasoft
Ad-aware. Some anti-virus products have anti-spyware ability built-in - I'm
not sure about McAfee, maybe it does.

If you :
- run MBSA or an equivalant tool regularly, eg every week or month.
- keep your antivirus software current, and download the signature updates
reularly eg weekly;
- run a an antispyware tool such as Defender or Ad-aware;

.... then you can have a high degree of confidence you are protected against
most vulnerabilities, without making it a full-time job for yourself.

Regarding the specific Event 540 - yes, this looks like some Windows service
communicating via a Named Pipe, or similar inter-process communication.
People sometimes advise that you can totally disable anonymous logon, to
prevent these events. That's true, but this advice is usually not based on
any real, practical experience. It can cause many things to suddenly stop
working on your network. Unlike Windows NT 4.0, etc, Windows Vista is
"secure by default": by and large you do not need to tweak a large number of
settings to make an out-of-the-box installation of Vista, secure; it already
*is* secure! The main thing you need to tweak is selective, controlled
weakening of security, to allow file-and-print sharing etc.

I was also wondering if you have any documentation on setting up Remote
Desktop via VPN? Although the pc that I remote into is in a secure
location and I have no worries, you can't be so sure about the network
where I use my laptop from which I start the remote desktop. I take it a
VPN connection would secure me against any potential sniffers on the
network.

Yes, a VPN will provide an encrypted tunnel between the two end-points;
secured by SSL, TLS or similar high-grade encryption. So there is little
opportunity for man-in-the-middle attacks. A VPN is at a lower level than
application layer connections like RDP - you can think of the VPN as a
highly secure "virtual" network cable, which you run from your laptop to the
destination network. If you made a VPN connection to your home LAN, you
could then run normal network operations over the network - Remote Desktop,
File Sharing , Printing etc, just as if it was on your local network (a bit
slower, of course). Windows has a built-in software VPN capability. Many
routers also offer VPN facilities. You'd use one or the other, not both.
VPNs is a huge topic ... I don't really have any good, specific references
for you, apart from a generic Google search:
http://support.microsoft.com/kb/929490
http://windowshelp.microsoft.com/Windows/en-US/Help/8bcd8c4c-7c00-451b-91db-465cfd7484a51033.mspx
http://windowshelp.microsoft.com/Windows/en-US/Help/f22a374f-929e-43bf-9583-de62942490e81033.mspx

If you need more information (quite likely) I'd suggest you start a new
thread in this newsgroup. Probably plenty other folks here have practical
advice on VPNs and Vista, and will be happy to contribute.

Hope it helps!