Darren’s back in the kitchen with an illustrated scenario of online brute forcing every systems administrators beloved remote desktop. He whips up some home made chicken noodle soup and tosses on the ol’ white hat for a talk about countermeasures and security best practices. Then Matt brings you a full featured and aggressively priced alternative to Microsoft’s own Terminal Service. Do I hear cheap thin clients around the corner?
Online Brute Force Countermeasures And Chicken Noodle Soup
Similar in function to SSH, Remote Desktop Protocol is one of the essential tools for administrating Microsoft Windows Servers. The natively encrypted services comes standard on Windows Server and even XP Pro and Vista. It is also serve as the example for a brief followup to my previous segment on Offline Brute Forcing.
In my scenario I demonstrate how the tool TSGrinder can be used to perform dictionary attacks against RDP services with character substitution (or leet) options. This attack simply demonstrates a few weeknesses in Windows.
First of all by default the Administrator account cannot be locked out remotely. This behavior can be changed using the Passprop utility from the Windows 2000 resource kit. This tool will also allow you to enforce strong passwords. It is also recommended that the administrator account be renamed. There are a few tools for this as well. Though more obscurity than security I recommend changing the RDP listen port. I strongly recommend reviewing Microsoft’s password best practices and considering passphrases. PasswordMeter.com is a nice site that will rate your password on complexity. Finally I recommend enabling extensive auditing. There are a number of third party security applications made specifically for auditing that offer alerting options on events such as online brute force attempts. One application in particular, 2X SecureRDP offers advanced filtering based on IP and Mac addresses for RDP connections. I’m particularly interesting in hearing your feedback on Windows extensive auditing software so please drop me a line, darrenAThak5.0rg!
And my final recommendation on securing RDP is to limit its exposure by keeping TCP 3389 (or whatever port you’ve changed it to) closed. A little SSH tunneling or VPNing can go a long way to keeping unncessary serices away from the wild wild web. I’ve laid the foundation for this in a segment on 1×07 and will follow up with a more robust VPN segment soon. If you’ve got ideas again drop me a line.
Terminal Service Alternatives
The website is located at http://www.xpunlimited.nl there is a large list of benefits at http://xpunlimited.nl/benefits.html
One of the really nice features is the ability to repurpose an old XP machine to use as a terminal server.
The setup couldn’t be easier, and is pretty much a standard application installer, customization is a very simple process from limiting application launches, to customizing the initial desktop, and even advanced functions which replicate the microsoft terminal services security settings.
Questions or alternatives?