Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Scott Kammeyer (skammeyermobl.com)
Date: Tue May 22 2001 - 17:59:22 CDT
I would recommend using a nice administration kit called Dameware NT
Utilities. Dameware has a remote control module and does use Domain
Security for logons. http://www.dameware.com. They do have a trial for you
to check out.
From: Davis, Matt [mailto:matt.daviscountryfinancial.com]
Sent: Tuesday, May 22, 2001 1:05 PM
Subject: RE: Remote control of NTs
Unfortunately, VNC does not _strongly_ encrypt login passwords which allows
for the login information (including any text you send the actual machine
such as domain account passwords) to possibly be sniffed by outside parties.
Access to your VNC desktop generally allows access to your whole
environment, so security is obviously important. VNC uses a
challenge-response password scheme to make the initial connection: the
server sends a random series of bytes, which are encrypted using the
password typed in, and then returned to the server, which checks them
against the 'right' answer. After that the data is unencrypted and could, in
theory, be watched by other malicious users, though it's a bit harder to
snoop a VNC session than, say, a telnet, rlogin, or X session.
Although you can 'route' it through a SSH session for added security. Also,
VNC does not support NT Domain security which can increase administration
costs. Also, it uses 1 password and no user ID so it is harder if you have
multiple people who have access to specific servers (i.e. Alice can remote
control server1 and Bob can remote control server 2 but Bob can not remote
control server 1).
Remote Administration does raise some security concerns. But, if your
machine is 'root'ed through some other means, the attacker can easily
install a remote control utility of his choice (B.O., NetBus, etc).
Properly secured, it is no more an issue than any other service/daemon
running on the machine.
-- Matt Davis Associate Client Server Business Support Analyst COUNTRY Insurance & Financial Services 309-821-6288 mailto:matt.daviscountryfinancial.com
-----Original Message----- From: Symen Mulders [mailto:symenmlakechamplain.com] Sent: Tuesday, May 22, 2001 10:15 AM To: FOCUS-MSSECURITYFOCUS.COM Subject: Re: Remote control of NTs
VNC is very nice. You may want to try pcANYWHERE from Symantec, which works well aside from occasional stability issues. If you are running Windows 2000 servers, the OS now comes with a 2 user license for Terminal Services. This tool seems to work very well.
One important issue with remote administration of NT machines is the speed of the link between your workstations and your servers. Because you have to interact with a GUI to do anything to an NT system, the image of the desktop has to be relayed back to you regularly, which can saturate a link pretty easily. pcANYWHERE is probably the worst of the three at this. If remote administration is important and it isn't acceptable to saturate your link like this, it may be a better option to use some type of Unix with SSH, so you don't have the awkward necessity of a GUI (assuming your services aren't Windows-Specific).
Remote administration always introduces security issues. If you can fully control the machine from a remote location, an attacker can potentially do the same. No matter what application you choose to utilize, I strongly recommend filtering the ports it uses to only allow connections from your workstations that need to manage the servers. Also, if you are using User/Password authentication, delete any guest accounts and rename Administrator accounts to something else so that it is harder for an attacker to guess usernames. Also enforce a strong password policy, and change passwords regularly. All of these applications enforce some form of encryption on the link, so password-sniffing shouldn't be an issue - just make sure you are using the strongest encryption possible if it can be configured (I know it can in pcANYWHERE at least, possibly others).
----- Original Message ----- From: "Rivera Alonso, David" <driveraiberdrola.es> >We are evaluating some tools to remotely manage NT servers. These servers >are in the DMZ, and our desktops in the Intranet. >I'd like to know your experience in this field, and which Tool is the best, >from a security point of view, weight in the server, ease of use... >At the moment, the one we like the most is VNC. Other opinions?