Need Security help please!

Cessation

icroyal wrote:

You can enable remote desktop on your box at home and rdp to it. If you're on a home rrouter, make sure you get the public ip before you leave and make sure you forward port 3389 to the workstation's private ip address.

Ok, I need to be able to do the above without being so left open to attacks.

Anyway to do with without buying an actual pix firewall?
Please help me out. Any help is very much appreciated.
Thanks,

blackzone

Is your windows box behind anything or use public IP directly?

There might be someway to attack the computer(I just don't know how).

Even if you use public IP directly, you still need a password to login.

Cessation

blackzone wrote:

Is your windows box behind anything or use public IP directly?

There might be someway to attack the computer(I just don't know how).

Even if you use public IP directly, you still need a password to login.

So basically I have this.
Internet>Modem>Router>Computer
Forwarded port 3389 to my private addy.

I just want to make sure Im not too vulnerable.

blackzone

A few things to note is by default only member of the Administrator group can use RDP(you can add more group).

Also by default member of the Administrator group with empty password can't logon using RDP(you can change in the computer security setting).

So I can't really think of any easy way for outside user to access your machine.

If you want, you can setup a windows server 2003 or linux box as gateway for your windows box. That require additonal computer though.

Another way is use vmware, but by default, windows only support one desktop, that means you can't have a vmware firewall open in the desktop you want to login(because you need to logout to login RDP). There are some windows toy which allow multiple desktop though.

blackzone

Cessation wrote:

blackzone wrote:

Is your windows box behind anything or use public IP directly?

There might be someway to attack the computer(I just don't know how).

Even if you use public IP directly, you still need a password to login.

So basically I have this.
Internet>Modem>Router>Computer
Forwarded port 3389 to my private addy.

I just want to make sure Im not too vulnerable.

well, I'm sure your router have some sort of firewall protection right?

Maybe you can set up a rule that only the computer you want can send RDP through the router. (e.g. allow only the IP or subnet of IP from your office to send RDP connection.)

agustinchernitsky

Hello...

A good way to improve your security: Change the default port...

RDP: 40000

You have to go into your registry and change the RDP port... then map the port from your router to your internal IP.... you will get better security (hackers will have to guess your port now).

sprkymrk

Set up an RRAS server for a VPN is a possibility. Make the VPN connection first, then RDP through that.

On your router, you can set up a different port than 3389 to forward to your computer for RDP. Then when you want to connect, in the Computer box, type the computer name or the IP address of the computer that you want to connect to, followed by a colon and the port number that you want to use.
You can change the listening port to something other than 3389 by editing the registry on the computer you want to connect to.
http://support.microsoft.com/kb/306759/

Me slow typist, agustinchernitsky beat me!

Sie

Guys can i just ask i quick related question?

What Software Firewalls do you use?

I currently use free version of Zonealarms but have got to a point where i need to configure specific open ports. (have setup RDP over another port using tsweb) But free version does not support this. So before i go buy full version can you recommend another free one or good paid for one?

Cheers.

Cessation

agustinchernitsky wrote:

Hello...

A good way to improve your security: Change the default port...

RDP: 40000

You have to go into your registry and change the RDP port... then map the port from your router to your internal IP.... you will get better security (hackers will have to guess your port now).

Fantastic!
Thanks to all that posted. (even Mr. sprkymrk the slow typist =P)

sprkymrk

Cessation wrote:

Fantastic!
Thanks to all that posted. (even Mr. sprkymrk the slow typist =P)

Yoooooooooouuuuuuuuuuuurrrrrrrrr
welllllllllllllllcoooooooooooooommmmmmme...........

blargoe

Just changing the port number is what some people call "security by obfuscation". The kiddies will still figure out what you have open once they do a port scan on your IP address.

Leaving 3389 open leaves a couple possibilities for a breach. 1) Guessing the password for one of the accounts with remote desktop permisisons; 2) a vulnerability in the Remote Desktop (actually Terminal Server) service that a hacker could exploit to take over your machine.

Me personally, I ssh into my linux router and use tunneling to forward local ports on my work PC to the remote desktop at my house, but that's beyond the scope of this thread.

Cessation

blargoe wrote:

I ssh into my linux router and use tunneling to forward local ports on my work PC to the remote desktop at my house, but that's beyond the scope of this thread.

Sadly you are right. I could possibly get another machine but that would require more time and effort than I think this might need.

Ill just change everything back when im not at school. That should limit the chances of anything happeng.

blackzone

blargoe wrote:

Leaving 3389 open leaves a couple possibilities for a breach.

2) a vulnerability in the Remote Desktop (actually Terminal Server) service that a hacker could exploit to take over your machine.

Um... what vulnerability? How old is it? Default XP SP2 or Server 2003 SP1 patched it?

blargoe

I wasn't referring to recently published vunlerability. I was just saying the possibility of a vulnerability exists. It is, after all, Windows. Just because a bulletin hasn't been published doesn't mean that one cannot exist.

sprkymrk

blargoe wrote:

Just changing the port number is what some people call "security by obfuscation". The kiddies will still figure out what you have open once they do a port scan on your IP address.

Leaving 3389 open leaves a couple possibilities for a breach. 1) Guessing the password for one of the accounts with remote desktop permisisons; 2) a vulnerability in the Remote Desktop (actually Terminal Server) service that a hacker could exploit to take over your machine.

I believe the term is "Security Through Obscurity", but it means the same thing, and you are correct. However, it is slightly more secure in the fact that script kiddies who run exploits based soley upon "automated" scripts will just launch an attack against port 3389 without even bothering to see if RDP is running. They could care less if it doesn't work on 1000 boxes, they just want to find a single box it does work on. If you run RDP on a different listening port, the automated stuff will pass you by. A port scanner is noisy, especially one scanning high ports like 25,000 and higher.

Regarding your second point, a quick google search found:
http://www.microsoft.com/technet/security/bulletin/MS05-041.mspx
http://www.securiteam.com/windowsntfocus/5EP010KG0G.html

Nothing new, but just a couple of examples to support your point.

agustinchernitsky

blargoe wrote:

Just changing the port number is what some people call "security by obfuscation". The kiddies will still figure out what you have open once they do a port scan on your IP address.

Well, yes and no. First of all, there is no perfect security.

Second, as sprkymrk says, script kiddies will use nmap, nessus or whatever automated scanner that will, by default scan on ports defined by their database. So, if you use a very high port, ie 40000 for RDP, you know that an automated scanner won't detect that.

Now, of course, an advanced hacker or a kiddie with more attitude might try and scan all the 65556 ports (that was the number no?) and they of course will detect something is running at 40000.

Another thing a friend of mine did... he inversed telnet and ssh ports... so you can do the same here... run RDP on port 22 or 23... It will detect as an telnet or SSH service.

Still, as always: defence in depths: use Antivirus, strong passwords, modifiy User Rights, do not use default accounts, so on, so forth.