I would recommend using a nice administration kit called Dameware NT
Utilities. Dameware has a remote control module and does use Domain
Security for logons. http://www.dameware.com. They do have a trial for you
to check out.

-Scott Kammeyer
Mobility Electronics
Scottsdale, AZ

-----Original Message-----
From: Davis, Matt [mailto:matt.daviscountryfinancial.com]
Sent: Tuesday, May 22, 2001 1:05 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: RE: Remote control of NTs

Unfortunately, VNC does not _strongly_ encrypt login passwords which allows
for the login information (including any text you send the actual machine
such as domain account passwords) to possibly be sniffed by outside parties.

From: http://www.uk.research.att.com/vnc/faq.html#q54

Access to your VNC desktop generally allows access to your whole
environment, so security is obviously important. VNC uses a
challenge-response password scheme to make the initial connection: the
server sends a random series of bytes, which are encrypted using the
password typed in, and then returned to the server, which checks them
against the 'right' answer. After that the data is unencrypted and could, in
theory, be watched by other malicious users, though it's a bit harder to
snoop a VNC session than, say, a telnet, rlogin, or X session.

--endquote--

Although you can 'route' it through a SSH session for added security. Also,
VNC does not support NT Domain security which can increase administration
costs. Also, it uses 1 password and no user ID so it is harder if you have
multiple people who have access to specific servers (i.e. Alice can remote
control server1 and Bob can remote control server 2 but Bob can not remote
control server 1).

Final note:
Remote Administration does raise some security concerns. But, if your
machine is 'root'ed through some other means, the attacker can easily
install a remote control utility of his choice (B.O., NetBus, etc).
Properly secured, it is no more an issue than any other service/daemon
running on the machine.

--
Matt Davis
Associate Client Server Business Support Analyst
COUNTRY Insurance & Financial Services
309-821-6288
mailto:matt.daviscountryfinancial.com
-----Original Message-----
From: Symen Mulders [mailto:symenmlakechamplain.com]
Sent: Tuesday, May 22, 2001 10:15 AM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: Remote control of NTs
VNC is very nice.  You may want to try pcANYWHERE from Symantec, which works
well aside from occasional stability issues.  If you are running Windows
2000 servers, the OS now comes with a 2 user license for Terminal Services.
This tool seems to work very well.
One important issue with remote administration of NT machines is the speed
of the link between your workstations and your servers.  Because you have to
interact with a GUI to do anything to an NT system, the image of the desktop
has to be relayed back to you regularly, which can saturate a link pretty
easily.  pcANYWHERE is probably the worst of the three at this.  If remote
administration is important and it isn't acceptable to saturate your link
like this, it may be a better option to use some type of Unix with SSH, so
you don't have the awkward necessity of a GUI (assuming your services aren't
Windows-Specific).
Remote administration always introduces security issues.  If you can fully
control the machine from a remote location, an attacker can potentially do
the same.  No matter what application you choose to utilize, I strongly
recommend filtering the ports it uses to only allow connections from your
workstations that need to manage the servers.  Also, if you are using
User/Password authentication, delete any guest accounts and rename
Administrator accounts to something else so that it is harder for an
attacker to guess usernames.  Also enforce a strong password policy, and
change passwords regularly.  All of these applications enforce some form of
encryption on the link, so password-sniffing shouldn't be an issue - just
make sure you are using the strongest encryption possible if it can be
configured (I know it can in pcANYWHERE at least, possibly others).
----- Original Message -----
From: "Rivera Alonso, David" <driveraiberdrola.es>
>We are evaluating some tools to remotely manage NT servers. These servers
>are in the DMZ, and our desktops in the Intranet.
>I'd like to know your experience in this field, and which Tool is the best,
>from a security point of view, weight in the server, ease of use...
>At the moment, the one we like the most is VNC. Other opinions?

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]